Re: [PATCH] apparmor: Allow swtpm to use its own apparmor profile
On 4/20/22 03:40, Christian Ehrhardt wrote:
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek
<lena.voytek(a)canonical.com> wrote:
Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM.
Regards,
Jim
> Signed-off-by: Lena Voytek <lena.voytek(a)canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 3 ++-
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 250ba4ea58..c29168da27 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -180,7 +180,7 @@
> audit deny /{var/,}run/qemu/*/*.so w,
>
> # swtpm
> - /{usr/,}bin/swtpm rmix,
> + /{usr/,}bin/swtpm rmpix,
> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> /usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
>
> @@ -226,6 +226,7 @@
> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=virtqemud),
> + unix (send, receive) type=stream addr=none peer=(label=swtpm),
>
> # for gathering information about available host resources
> /sys/devices/system/cpu/ r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2ab6ff2aa..886f1ad518 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> ptrace (read,trace) peer=dnsmasq,
> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> ptrace (read,trace) peer=libvirt-*,
> + ptrace (read,trace) peer=swtpm,
>
> signal (send) peer=dnsmasq,
> signal (send) peer=/usr/sbin/dnsmasq,
> --
> 2.25.1
>