security: Add swtpm paths to the domain's AppArmor profile

This patch extends the AppArmor domain profile with file paths the swtpm accesses for state, log, pid, and socket files. Both, QEMU and swtpm, use this AppArmor profile. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-02-25 18:55:26 -06:00 · 2018-05-18 23:33:46 -04:00
parent f8c65481d5
commit 43b0b4f834
2 changed files with 50 additions and 0 deletions
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,11 @@
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,

+  # swtpm
+  /{usr/,}bin/swtpm rmix,
+  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,