Re: [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile

[Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>]

On 05/24/2018 04:26 PM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
> Cc: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---
>   examples/apparmor/libvirt-qemu |  3 +++
>   src/security/virt-aa-helper.c  | 24 ++++++++++++++++++++++++
>   2 files changed, 27 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 2c47652250..854729d0ae 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,9 @@
>     /usr/{lib,lib64}/qemu/*.so mr,
>     /usr/lib/@{multiarch}/qemu/*.so mr,
>
> +  # swtpm
> +  /usr/bin/swtpm rmix,
> +
>     # for save and resume
>     /{usr/,}bin/dash rmix,
>     /{usr/,}bin/dd rmix,

I cannot get the existing AppArmor profiles in examples/apparmor to 
work. So this is an addition that I would anticipate that it is 
necessary. Whether this plus the extensions to virt-aa-helper.c below 
are sufficient is not clear.

> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d0f9876da5..6ee436e66c 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
>           }
>       }
>
> +    if (ctl->def->tpm) {
> +        char *shortName = virDomainDefGetShortName(ctl->def);
> +        switch (ctl->def->tpm->type) {
> +        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> +            virBufferAsprintf(&buf,
> +                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\" x,\n",
> +                LOCALSTATEDIR, shortName);
> +            /* paths for swtpm to use */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
> +                LOCALSTATEDIR, uuidstr);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" rw,\n",
> +                LOCALSTATEDIR, shortName);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> +                LOCALSTATEDIR, shortName);
> +            break;
> +        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> +        case VIR_DOMAIN_TPM_TYPE_LAST:
> +            break;
> +        }
> +    }
> +
>       if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>           for (i = 0; i < ctl->def->nnets; i++) {
>               virDomainNetDefPtr net = ctl->def->nets[i];


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list