src/security/apparmor/libvirt-qemu | 3 ++- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-)
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
---
src/security/apparmor/libvirt-qemu | 3 ++-
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
2.25.1
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote: Hi Lena, the code is fine - I can confirm that this works well in Ubuntu 22.04 already. But we should add a non-empty commit message here. Just outline that this is needed when swtpm itself runs under a profile called "swtpm". And maybe reference the upstreaming of that profile into the swtpm project. P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes. > Signed-off-by: Lena Voytek <lena.voytek@canonical.com> > --- > src/security/apparmor/libvirt-qemu | 3 ++- > src/security/apparmor/usr.sbin.libvirtd.in | 1 + > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu > index 250ba4ea58..c29168da27 100644 > --- a/src/security/apparmor/libvirt-qemu > +++ b/src/security/apparmor/libvirt-qemu > @@ -180,7 +180,7 @@ > audit deny /{var/,}run/qemu/*/*.so w, > > # swtpm > - /{usr/,}bin/swtpm rmix, > + /{usr/,}bin/swtpm rmpix, > /usr/{lib,lib64}/libswtpm_libtpms.so mr, > /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, > > @@ -226,6 +226,7 @@ > unix (send, receive) type=stream addr=none peer=(label=libvirtd), > unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), > unix (send, receive) type=stream addr=none peer=(label=virtqemud), > + unix (send, receive) type=stream addr=none peer=(label=swtpm), > > # for gathering information about available host resources > /sys/devices/system/cpu/ r, > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in > index f2ab6ff2aa..886f1ad518 100644 > --- a/src/security/apparmor/usr.sbin.libvirtd.in > +++ b/src/security/apparmor/usr.sbin.libvirtd.in > @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { > ptrace (read,trace) peer=dnsmasq, > ptrace (read,trace) peer=/usr/sbin/dnsmasq, > ptrace (read,trace) peer=libvirt-*, > + ptrace (read,trace) peer=swtpm, > > signal (send) peer=dnsmasq, > signal (send) peer=/usr/sbin/dnsmasq, > -- > 2.25.1 > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
On 4/20/22 03:40, Christian Ehrhardt wrote: > On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@canonical.com> wrote: > > Hi Lena, > the code is fine - I can confirm that this works well in Ubuntu 22.04 already. > > But we should add a non-empty commit message here. > Just outline that this is needed when swtpm itself runs under a > profile called "swtpm". > And maybe reference the upstreaming of that profile into the swtpm project. > > P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes. I see this patch has already been pushed. Regardless, it LGTM. Regards, Jim > >> Signed-off-by: Lena Voytek <lena.voytek@canonical.com> >> --- >> src/security/apparmor/libvirt-qemu | 3 ++- >> src/security/apparmor/usr.sbin.libvirtd.in | 1 + >> 2 files changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu >> index 250ba4ea58..c29168da27 100644 >> --- a/src/security/apparmor/libvirt-qemu >> +++ b/src/security/apparmor/libvirt-qemu >> @@ -180,7 +180,7 @@ >> audit deny /{var/,}run/qemu/*/*.so w, >> >> # swtpm >> - /{usr/,}bin/swtpm rmix, >> + /{usr/,}bin/swtpm rmpix, >> /usr/{lib,lib64}/libswtpm_libtpms.so mr, >> /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, >> >> @@ -226,6 +226,7 @@ >> unix (send, receive) type=stream addr=none peer=(label=libvirtd), >> unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), >> unix (send, receive) type=stream addr=none peer=(label=virtqemud), >> + unix (send, receive) type=stream addr=none peer=(label=swtpm), >> >> # for gathering information about available host resources >> /sys/devices/system/cpu/ r, >> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in >> index f2ab6ff2aa..886f1ad518 100644 >> --- a/src/security/apparmor/usr.sbin.libvirtd.in >> +++ b/src/security/apparmor/usr.sbin.libvirtd.in >> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { >> ptrace (read,trace) peer=dnsmasq, >> ptrace (read,trace) peer=/usr/sbin/dnsmasq, >> ptrace (read,trace) peer=libvirt-*, >> + ptrace (read,trace) peer=swtpm, >> >> signal (send) peer=dnsmasq, >> signal (send) peer=/usr/sbin/dnsmasq, >> -- >> 2.25.1 >> > >
© 2016 - 2024 Red Hat, Inc.