apparmor: Allow swtpm to use its own apparmor profile

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
2025-01-10 14:57:42 +00:00 · 2022-04-13 14:21:19 -07:00 · 2022-04-13 14:21:19 -07:00 · d97f8807d2
commit d97f8807d2
parent eac8de54a6
2 changed files with 3 additions and 1 deletions
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@ -180,7 +180,7 @@
  audit deny /{var/,}run/qemu/*/*.so w,
  # swtpm
-  /{usr/,}bin/swtpm rmix,
+  /{usr/,}bin/swtpm rmpix,
  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@ -226,6 +226,7 @@
  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
  unix (send, receive) type=stream addr=none peer=(label=virtqemud),
  unix (send, receive) type=stream addr=none peer=(label=swtpm),
  # for gathering information about available host resources
  /sys/devices/system/cpu/ r,
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
  ptrace (read,trace) peer=dnsmasq,
  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
  ptrace (read,trace) peer=libvirt-*,
  ptrace (read,trace) peer=swtpm,
  signal (send) peer=dnsmasq,
  signal (send) peer=/usr/sbin/dnsmasq,