Re: [PATCH] apparmor: Allow swtpm to use its own apparmor profile

Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> · Wed, 20 Apr 2022 11:40:41 +0200

On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@xxxxxxxxxxxxx> wrote:

Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.

But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.

P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.

> Signed-off-by: Lena Voytek <lena.voytek@xxxxxxxxxxxxx>
> ---
>  src/security/apparmor/libvirt-qemu         | 3 ++-
>  src/security/apparmor/usr.sbin.libvirtd.in | 1 +
>  2 files changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 250ba4ea58..c29168da27 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -180,7 +180,7 @@
>    audit deny /{var/,}run/qemu/*/*.so w,
>
>    # swtpm
> -  /{usr/,}bin/swtpm rmix,
> +  /{usr/,}bin/swtpm rmpix,
>    /usr/{lib,lib64}/libswtpm_libtpms.so mr,
>    /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
>
> @@ -226,6 +226,7 @@
>    unix (send, receive) type=stream addr=none peer=(label=libvirtd),
>    unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
>    unix (send, receive) type=stream addr=none peer=(label=virtqemud),
> +  unix (send, receive) type=stream addr=none peer=(label=swtpm),
>
>    # for gathering information about available host resources
>    /sys/devices/system/cpu/ r,
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index f2ab6ff2aa..886f1ad518 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
>    ptrace (read,trace) peer=dnsmasq,
>    ptrace (read,trace) peer=/usr/sbin/dnsmasq,
>    ptrace (read,trace) peer=libvirt-*,
> +  ptrace (read,trace) peer=swtpm,
>
>    signal (send) peer=dnsmasq,
>    signal (send) peer=/usr/sbin/dnsmasq,
> --
> 2.25.1
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd