apparmor: Allow swtpm to use its own apparmor profile

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
This commit is contained in:
Lena Voytek 2022-04-13 14:21:19 -07:00 committed by Daniel P. Berrangé
parent eac8de54a6
commit d97f8807d2
2 changed files with 3 additions and 1 deletions

View File

@ -180,7 +180,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
/{usr/,}bin/swtpm rmix,
/{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@ -226,6 +226,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
unix (send, receive) type=stream addr=none peer=(label=swtpm),
# for gathering information about available host resources
/sys/devices/system/cpu/ r,

View File

@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,