diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 874aca2092..df5f512487 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -158,6 +158,11 @@ /usr/{lib,lib64}/qemu/*.so mr, /usr/lib/@{multiarch}/qemu/*.so mr, + # swtpm + /{usr/,}bin/swtpm rmix, + /usr/{lib,lib64}/libswtpm_libtpms.so mr, + /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, + # for save and resume /{usr/,}bin/dash rmix, /{usr/,}bin/dd rmix, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 971ee6733c..952b496f21 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1181,6 +1181,51 @@ get_files(vahControl * ctl) } } + if (ctl->def->tpm) { + char *shortName = NULL; + const char *tpmpath = NULL; + + switch (ctl->def->tpm->type) { + case VIR_DOMAIN_TPM_TYPE_EMULATOR: + shortName = virDomainDefGetShortName(ctl->def); + + switch (ctl->def->tpm->version) { + case VIR_DOMAIN_TPM_VERSION_1_2: + tpmpath = "tpm1.2"; + break; + case VIR_DOMAIN_TPM_VERSION_2_0: + tpmpath = "tpm2"; + break; + case VIR_DOMAIN_TPM_VERSION_DEFAULT: + case VIR_DOMAIN_TPM_VERSION_LAST: + break; + } + + /* Unix socket for QEMU and swtpm to use */ + virBufferAsprintf(&buf, + " \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", + shortName); + /* Paths for swtpm to use: give it access to its state + * directory, log, and PID files. + */ + virBufferAsprintf(&buf, + " \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n", + LOCALSTATEDIR, uuidstr, tpmpath); + virBufferAsprintf(&buf, + " \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n", + LOCALSTATEDIR, ctl->def->name); + virBufferAsprintf(&buf, + " \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n", + shortName); + + VIR_FREE(shortName); + break; + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + } + if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { for (i = 0; i < ctl->def->nnets; i++) { virDomainNetDefPtr net = ctl->def->nets[i];