Re: [PATCH v9 13/17] security: Add swtpm paths to the domain's AppArmor profile

Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> · Thu, 7 Jun 2018 13:16:48 -0400

On 06/04/2018 11:46 AM, Stefan Berger wrote:
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.

Both, QEMU and swtpm, use this AppArmor profile.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
Cc: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>

After the recent changes I had made to it, I didn't think it was 
appropriate to take the Reviewed-by. Can someone have a (quick) look?

   Stefan

---
  examples/apparmor/libvirt-qemu |  3 +++
  src/security/virt-aa-helper.c  | 45 ++++++++++++++++++++++++++++++++++++++++++
  2 files changed, 48 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 2c47652250..854729d0ae 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,9 @@
    /usr/{lib,lib64}/qemu/*.so mr,
    /usr/lib/@{multiarch}/qemu/*.so mr,

+  # swtpm
+  /usr/bin/swtpm rmix,
+
    # for save and resume
    /{usr/,}bin/dash rmix,
    /{usr/,}bin/dd rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d0f9876da5..7a6fb31e9a 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1185,6 +1185,51 @@ get_files(vahControl * ctl)
          }
      }

+    if (ctl->def->tpm) {
+        char *shortName = NULL;
+        const char *tpmpath = NULL;
+
+        switch (ctl->def->tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            shortName = virDomainDefGetShortName(ctl->def);
+
+            switch (ctl->def->tpm->version) {
+            case VIR_DOMAIN_TPM_VERSION_1_2:
+                tpmpath = "tpm1.2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_2_0:
+                tpmpath = "tpm2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
+            case VIR_DOMAIN_TPM_VERSION_LAST:
+                break;
+            }
+
+            /* Unix socket for QEMU and swtpm to use */
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
+                shortName);
+            /* Paths for swtpm to use: give it access to its state
+             * directory, log, and PID files.
+             */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
+            virBufferAsprintf(&buf,
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+                shortName);
+
+            VIR_FREE(shortName);
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
      if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
          for (i = 0; i < ctl->def->nnets; i++) {
              virDomainNetDefPtr net = ctl->def->nets[i];


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







