On 7/14/21 3:13 AM, Michal Prívozník wrote:
On 7/13/21 8:38 PM, Stefan Berger wrote:
> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
> its state files into so that "the entry in the directory containing the
> file has also reached disk" (fsync(2)).
>
> Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com>
> ---
> src/security/virt-aa-helper.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 52cfebf6e0..e21557c810 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
> " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\"
rw,\n",
> RUNSTATEDIR, shortName);
> /* Paths for swtpm to use: give it access to its state
> - * directory, log, and PID files.
> + * directory (state files and fsync on dir), log, and PID files.
> */
> + virBufferAsprintf(&buf,
> + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
> + LOCALSTATEDIR, uuidstr, tpmpath);
> virBufferAsprintf(&buf,
> " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
> LOCALSTATEDIR, uuidstr, tpmpath);
>
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Although it took me a bit to realize that 0.7.0 is yet to be released :-)
Right. And I am thinking of deactivating the 'offending' fsync in the
Ubuntu version for quite a while until this AppArmor fix here has
propagated.
Thanks for pushing.
Stefan
Michal