src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-)
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.25.1On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote:
Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.
P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
> Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 3 ++-
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 250ba4ea58..c29168da27 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -180,7 +180,7 @@
> audit deny /{var/,}run/qemu/*/*.so w,
>
> # swtpm
> - /{usr/,}bin/swtpm rmix,
> + /{usr/,}bin/swtpm rmpix,
> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
>
> @@ -226,6 +226,7 @@
> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
> unix (send, receive) type=stream addr=none peer=(label=virtqemud),
> + unix (send, receive) type=stream addr=none peer=(label=swtpm),
>
> # for gathering information about available host resources
> /sys/devices/system/cpu/ r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2ab6ff2aa..886f1ad518 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> ptrace (read,trace) peer=dnsmasq,
> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
> ptrace (read,trace) peer=libvirt-*,
> + ptrace (read,trace) peer=swtpm,
>
> signal (send) peer=dnsmasq,
> signal (send) peer=/usr/sbin/dnsmasq,
> --
> 2.25.1
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
On 4/20/22 03:40, Christian Ehrhardt wrote:
> On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote:
>
> Hi Lena,
> the code is fine - I can confirm that this works well in Ubuntu 22.04 already.
>
> But we should add a non-empty commit message here.
> Just outline that this is needed when swtpm itself runs under a
> profile called "swtpm".
> And maybe reference the upstreaming of that profile into the swtpm project.
>
> P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.
I see this patch has already been pushed. Regardless, it LGTM.
Regards,
Jim
>
>> Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
>> ---
>> src/security/apparmor/libvirt-qemu | 3 ++-
>> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
>> 2 files changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
>> index 250ba4ea58..c29168da27 100644
>> --- a/src/security/apparmor/libvirt-qemu
>> +++ b/src/security/apparmor/libvirt-qemu
>> @@ -180,7 +180,7 @@
>> audit deny /{var/,}run/qemu/*/*.so w,
>>
>> # swtpm
>> - /{usr/,}bin/swtpm rmix,
>> + /{usr/,}bin/swtpm rmpix,
>> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
>> /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
>>
>> @@ -226,6 +226,7 @@
>> unix (send, receive) type=stream addr=none peer=(label=libvirtd),
>> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>> unix (send, receive) type=stream addr=none peer=(label=virtqemud),
>> + unix (send, receive) type=stream addr=none peer=(label=swtpm),
>>
>> # for gathering information about available host resources
>> /sys/devices/system/cpu/ r,
>> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
>> index f2ab6ff2aa..886f1ad518 100644
>> --- a/src/security/apparmor/usr.sbin.libvirtd.in
>> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
>> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>> ptrace (read,trace) peer=dnsmasq,
>> ptrace (read,trace) peer=/usr/sbin/dnsmasq,
>> ptrace (read,trace) peer=libvirt-*,
>> + ptrace (read,trace) peer=swtpm,
>>
>> signal (send) peer=dnsmasq,
>> signal (send) peer=/usr/sbin/dnsmasq,
>> --
>> 2.25.1
>>
>
>
© 2016 - 2024 Red Hat, Inc.