12:10 p.m.
Signed-off-by: Lena Voytek <lena.voytek(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.25.1
4:40 a.m.
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek(a)canonical.com> wrote:
Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
Signed-off-by: Lena Voytek <lena.voytek(a)canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.25.1
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
9:58 a.m.
On 4/20/22 03:40, Christian Ehrhardt wrote:
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek
<lena.voytek(a)canonical.com> wrote:
Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM.
Regards,
Jim
> Signed-off-by: Lena Voytek <lena.voytek(a)canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 3 ++-
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 250ba4ea58..c29168da27 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -180,7 +180,7 @@
> audit deny /{var/,}run/qemu/*/*.so w,
>
> # swtpm
> - /{usr/,}bin/swtpm rmix,
> + /{usr/,}bin/swtpm rmpix,
> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> /usr/lib/(a){multiarch}/libswtpm_libtpms.so mr,
>
> @@ -226,6 +226,7 @@
> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=virtqemud),
> + unix (send, receive) type=stream addr=none peer=(label=swtpm),
>
> # for gathering information about available host resources
> /sys/devices/system/cpu/ r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2ab6ff2aa..886f1ad518 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> ptrace (read,trace) peer=dnsmasq,
> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> ptrace (read,trace) peer=libvirt-*,
> + ptrace (read,trace) peer=swtpm,
>
> signal (send) peer=dnsmasq,
> signal (send) peer=/usr/sbin/dnsmasq,
> --
> 2.25.1
>
948
days inactive
950
days old
2 comments
3 participants
participants (3)
-
Christian Ehrhardt -
Jim Fehlig -
Lena Voytek