[PATCH] apparmor: Allow swtpm to use its own apparmor profile

Signed-off-by: Lena Voytek <lena.voytek@canonical.com> --- src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 250ba4ea58..c29168da27 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -180,7 +180,7 @@ audit deny /{var/,}run/qemu/*/*.so w, # swtpm - /{usr/,}bin/swtpm rmix, + /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, @@ -226,6 +226,7 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm), # for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2ab6ff2aa..886f1ad518 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm, signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, -- 2.25.1

On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote: Hi Lena, the code is fine - I can confirm that this works well in Ubuntu 22.04 already. But we should add a non-empty commit message here. Just outline that this is needed when swtpm itself runs under a profile called "swtpm". And maybe reference the upstreaming of that profile into the swtpm project. P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com> --- src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 250ba4ea58..c29168da27 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -180,7 +180,7 @@ audit deny /{var/,}run/qemu/*/*.so w,
# swtpm - /{usr/,}bin/swtpm rmix, + /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2ab6ff2aa..886f1ad518 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, -- 2.25.1
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd

On 4/20/22 03:40, Christian Ehrhardt wrote:
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote:
Hi Lena, the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here. Just outline that this is needed when swtpm itself runs under a profile called "swtpm". And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM. Regards, Jim
Signed-off-by: Lena Voytek <lena.voytek@canonical.com> --- src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu index 250ba4ea58..c29168da27 100644 --- a/src/security/apparmor/libvirt-qemu +++ b/src/security/apparmor/libvirt-qemu @@ -180,7 +180,7 @@ audit deny /{var/,}run/qemu/*/*.so w,
# swtpm - /{usr/,}bin/swtpm rmix, + /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources /sys/devices/system/cpu/ r, diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index f2ab6ff2aa..886f1ad518 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, -- 2.25.1
participants (3)
-
Christian Ehrhardt
-
Jim Fehlig
-
Lena Voytek