On 7/14/21 3:13 AM, Michal Prívozník wrote:
On 7/13/21 8:38 PM, Stefan Berger wrote:
Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
its state files into so that "the entry in the directory containing the
file has also reached disk" (fsync(2)).
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
src/security/virt-aa-helper.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 52cfebf6e0..e21557c810 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
" \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
RUNSTATEDIR, shortName);
/* Paths for swtpm to use: give it access to its state
- * directory, log, and PID files.
+ * directory (state files and fsync on dir), log, and PID files.
*/
+ virBufferAsprintf(&buf,
+ " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
+ LOCALSTATEDIR, uuidstr, tpmpath);
virBufferAsprintf(&buf,
" \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
LOCALSTATEDIR, uuidstr, tpmpath);
Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
Although it took me a bit to realize that 0.7.0 is yet to be released :-)
Right. And I am thinking of deactivating the 'offending' fsync in the
Ubuntu version for quite a while until this AppArmor fix here has
propagated.
Thanks for pushing.
Stefan
Michal