security: Add swtpm paths to the domain's AppArmor profile

This patch extends the AppArmor domain profile with file paths the swtpm accesses for state, log, pid, and socket files. Both, QEMU and swtpm, use this AppArmor profile. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2024-12-22 05:35:25 +00:00 · 2018-05-18 23:33:46 -04:00 · 2018-05-18 23:33:46 -04:00 · 43b0b4f834
commit 43b0b4f834
parent f8c65481d5
2 changed files with 50 additions and 0 deletions
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@ -158,6 +158,11 @@
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,

+  # swtpm
+  /{usr/,}bin/swtpm rmix,
+  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -1181,6 +1181,51 @@ get_files(vahControl * ctl)
        }
    }

+    if (ctl->def->tpm) {
+        char *shortName = NULL;
+        const char *tpmpath = NULL;
+
+        switch (ctl->def->tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            shortName = virDomainDefGetShortName(ctl->def);
+
+            switch (ctl->def->tpm->version) {
+            case VIR_DOMAIN_TPM_VERSION_1_2:
+                tpmpath = "tpm1.2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_2_0:
+                tpmpath = "tpm2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
+            case VIR_DOMAIN_TPM_VERSION_LAST:
+                break;
+            }
+
+            /* Unix socket for QEMU and swtpm to use */
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
+                shortName);
+            /* Paths for swtpm to use: give it access to its state
+             * directory, log, and PID files.
+             */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
+            virBufferAsprintf(&buf,
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+                shortName);
+
+            VIR_FREE(shortName);
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
        for (i = 0; i < ctl->def->nnets; i++) {
            virDomainNetDefPtr net = ctl->def->nets[i];