examples/apparmor/libvirt-qemu | 5 +++++ src/security/virt-aa-helper.c | 45 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.
Both, QEMU and swtpm, use this AppArmor profile.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
examples/apparmor/libvirt-qemu | 5 +++++
src/security/virt-aa-helper.c | 45 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 874aca2092..df5f512487 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,11 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
+ # swtpm
+ /{usr/,}bin/swtpm rmix,
+ /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+ /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
# for save and resume
/{usr/,}bin/dash rmix,
/{usr/,}bin/dd rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 971ee6733c..952b496f21 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1181,6 +1181,51 @@ get_files(vahControl * ctl)
}
}
+ if (ctl->def->tpm) {
+ char *shortName = NULL;
+ const char *tpmpath = NULL;
+
+ switch (ctl->def->tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ shortName = virDomainDefGetShortName(ctl->def);
+
+ switch (ctl->def->tpm->version) {
+ case VIR_DOMAIN_TPM_VERSION_1_2:
+ tpmpath = "tpm1.2";
+ break;
+ case VIR_DOMAIN_TPM_VERSION_2_0:
+ tpmpath = "tpm2";
+ break;
+ case VIR_DOMAIN_TPM_VERSION_DEFAULT:
+ case VIR_DOMAIN_TPM_VERSION_LAST:
+ break;
+ }
+
+ /* Unix socket for QEMU and swtpm to use */
+ virBufferAsprintf(&buf,
+ " \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
+ shortName);
+ /* Paths for swtpm to use: give it access to its state
+ * directory, log, and PID files.
+ */
+ virBufferAsprintf(&buf,
+ " \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+ LOCALSTATEDIR, uuidstr, tpmpath);
+ virBufferAsprintf(&buf,
+ " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+ LOCALSTATEDIR, ctl->def->name);
+ virBufferAsprintf(&buf,
+ " \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+ shortName);
+
+ VIR_FREE(shortName);
+ break;
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+ }
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
--
2.14.4
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On 06/19/2018 09:52 AM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Sorry for pestering, but would like to get this in.
The existing AA profiles in the examples dir do not work for me. It
seems like distros are creating their own profile. So the profile
extension are there to show whoever may look at this that there's now a
swtpm process also running. The 'c' code should be correct, though.
Stefan
> ---
> examples/apparmor/libvirt-qemu | 5 +++++
> src/security/virt-aa-helper.c | 45 ++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 50 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 874aca2092..df5f512487 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,11 @@
> /usr/{lib,lib64}/qemu/*.so mr,
> /usr/lib/@{multiarch}/qemu/*.so mr,
>
> + # swtpm
> + /{usr/,}bin/swtpm rmix,
> + /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
> +
> # for save and resume
> /{usr/,}bin/dash rmix,
> /{usr/,}bin/dd rmix,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 971ee6733c..952b496f21 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1181,6 +1181,51 @@ get_files(vahControl * ctl)
> }
> }
>
> + if (ctl->def->tpm) {
> + char *shortName = NULL;
> + const char *tpmpath = NULL;
> +
> + switch (ctl->def->tpm->type) {
> + case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> + shortName = virDomainDefGetShortName(ctl->def);
> +
> + switch (ctl->def->tpm->version) {
> + case VIR_DOMAIN_TPM_VERSION_1_2:
> + tpmpath = "tpm1.2";
> + break;
> + case VIR_DOMAIN_TPM_VERSION_2_0:
> + tpmpath = "tpm2";
> + break;
> + case VIR_DOMAIN_TPM_VERSION_DEFAULT:
> + case VIR_DOMAIN_TPM_VERSION_LAST:
> + break;
> + }
> +
> + /* Unix socket for QEMU and swtpm to use */
> + virBufferAsprintf(&buf,
> + " \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
> + shortName);
> + /* Paths for swtpm to use: give it access to its state
> + * directory, log, and PID files.
> + */
> + virBufferAsprintf(&buf,
> + " \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
> + LOCALSTATEDIR, uuidstr, tpmpath);
> + virBufferAsprintf(&buf,
> + " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
> + LOCALSTATEDIR, ctl->def->name);
> + virBufferAsprintf(&buf,
> + " \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> + shortName);
> +
> + VIR_FREE(shortName);
> + break;
> + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> + case VIR_DOMAIN_TPM_TYPE_LAST:
> + break;
> + }
> + }
> +
> if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
> for (i = 0; i < ctl->def->nnets; i++) {
> virDomainNetDefPtr net = ctl->def->nets[i];
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On 06/19/2018 03:52 PM, Stefan Berger wrote: > This patch extends the AppArmor domain profile with file paths > the swtpm accesses for state, log, pid, and socket files. > > Both, QEMU and swtpm, use this AppArmor profile. > > Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> > Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com> > --- > examples/apparmor/libvirt-qemu | 5 +++++ > src/security/virt-aa-helper.c | 45 ++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 50 insertions(+) ACK and safe for freeze. Michal -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 06/28/2018 03:55 AM, Michal Prívozník wrote: > On 06/19/2018 03:52 PM, Stefan Berger wrote: >> This patch extends the AppArmor domain profile with file paths >> the swtpm accesses for state, log, pid, and socket files. >> >> Both, QEMU and swtpm, use this AppArmor profile. >> >> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> >> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com> >> --- >> examples/apparmor/libvirt-qemu | 5 +++++ >> src/security/virt-aa-helper.c | 45 ++++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 50 insertions(+) > ACK and safe for freeze. I pushed this now. Thanks. > > Michal > -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.