Re: [PATCH] apparmor: Allow swtpm to use its own apparmor profile

Jim Fehlig <jfehlig@xxxxxxxx> · Thu, 21 Apr 2022 08:58:57 -0600

On 4/20/22 03:40, Christian Ehrhardt wrote:
On Tue, Apr 19, 2022 at 7:28 PM Lena Voytek <lena.voytek@xxxxxxxxxxxxx> wrote:

Hi Lena,
the code is fine - I can confirm that this works well in Ubuntu 22.04 already.

But we should add a non-empty commit message here.
Just outline that this is needed when swtpm itself runs under a
profile called "swtpm".
And maybe reference the upstreaming of that profile into the swtpm project.

P.S. also adding Jim to CC as he looks at apparmor from Suses POV sometimes.

I see this patch has already been pushed. Regardless, it LGTM.

Regards,
Jim


Signed-off-by: Lena Voytek <lena.voytek@xxxxxxxxxxxxx>
---
  src/security/apparmor/libvirt-qemu         | 3 ++-
  src/security/apparmor/usr.sbin.libvirtd.in | 1 +
  2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
    audit deny /{var/,}run/qemu/*/*.so w,

    # swtpm
-  /{usr/,}bin/swtpm rmix,
+  /{usr/,}bin/swtpm rmpix,
    /usr/{lib,lib64}/libswtpm_libtpms.so mr,
    /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,

@@ -226,6 +226,7 @@
    unix (send, receive) type=stream addr=none peer=(label=libvirtd),
    unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
    unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+  unix (send, receive) type=stream addr=none peer=(label=swtpm),

    # for gathering information about available host resources
    /sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
    ptrace (read,trace) peer=dnsmasq,
    ptrace (read,trace) peer=/usr/sbin/dnsmasq,
    ptrace (read,trace) peer=libvirt-*,
+  ptrace (read,trace) peer=swtpm,

    signal (send) peer=dnsmasq,
    signal (send) peer=/usr/sbin/dnsmasq,
--
2.25.1










