mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
security: Add swtpm paths to the domain's AppArmor profile
This patch extends the AppArmor domain profile with file paths the swtpm accesses for state, log, pid, and socket files. Both, QEMU and swtpm, use this AppArmor profile. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
parent
f8c65481d5
commit
43b0b4f834
@ -158,6 +158,11 @@
|
||||
/usr/{lib,lib64}/qemu/*.so mr,
|
||||
/usr/lib/@{multiarch}/qemu/*.so mr,
|
||||
|
||||
# swtpm
|
||||
/{usr/,}bin/swtpm rmix,
|
||||
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
|
||||
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
|
||||
|
||||
# for save and resume
|
||||
/{usr/,}bin/dash rmix,
|
||||
/{usr/,}bin/dd rmix,
|
||||
|
@ -1181,6 +1181,51 @@ get_files(vahControl * ctl)
|
||||
}
|
||||
}
|
||||
|
||||
if (ctl->def->tpm) {
|
||||
char *shortName = NULL;
|
||||
const char *tpmpath = NULL;
|
||||
|
||||
switch (ctl->def->tpm->type) {
|
||||
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
|
||||
shortName = virDomainDefGetShortName(ctl->def);
|
||||
|
||||
switch (ctl->def->tpm->version) {
|
||||
case VIR_DOMAIN_TPM_VERSION_1_2:
|
||||
tpmpath = "tpm1.2";
|
||||
break;
|
||||
case VIR_DOMAIN_TPM_VERSION_2_0:
|
||||
tpmpath = "tpm2";
|
||||
break;
|
||||
case VIR_DOMAIN_TPM_VERSION_DEFAULT:
|
||||
case VIR_DOMAIN_TPM_VERSION_LAST:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Unix socket for QEMU and swtpm to use */
|
||||
virBufferAsprintf(&buf,
|
||||
" \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
|
||||
shortName);
|
||||
/* Paths for swtpm to use: give it access to its state
|
||||
* directory, log, and PID files.
|
||||
*/
|
||||
virBufferAsprintf(&buf,
|
||||
" \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
|
||||
LOCALSTATEDIR, uuidstr, tpmpath);
|
||||
virBufferAsprintf(&buf,
|
||||
" \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
|
||||
LOCALSTATEDIR, ctl->def->name);
|
||||
virBufferAsprintf(&buf,
|
||||
" \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
|
||||
shortName);
|
||||
|
||||
VIR_FREE(shortName);
|
||||
break;
|
||||
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||
case VIR_DOMAIN_TPM_TYPE_LAST:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
|
||||
for (i = 0; i < ctl->def->nnets; i++) {
|
||||
virDomainNetDefPtr net = ctl->def->nets[i];
|
||||
|
Loading…
Reference in New Issue
Block a user