On 4/20/22 03:40, Christian Ehrhardt wrote:
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote:
Hi Lena, the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here. Just outline that this is needed when swtpm itself runs under a profile called "swtpm". And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM. Regards, Jim
Signed-off-by: Lena Voytek <lena.voytek@canonical.com> --- src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 250ba4ea58..c29168da27 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -180,7 +180,7 @@ audit deny /{var/,}run/qemu/*/*.so w,
# swtpm - /{usr/,}bin/swtpm rmix, + /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2ab6ff2aa..886f1ad518 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, -- 2.25.1