virt-aa-helper: Allow swtpm to fsync on dir

Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
its state files into so that "the entry in the directory containing the
file has also reached disk" (fsync(2)).

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 52cfebf6e087f080b54e1a06070d474c612a0984..e21557c810a9daf9cb78eceb5e4a23b46bc196bf 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
                 "  \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
                 RUNSTATEDIR, shortName);
             /* Paths for swtpm to use: give it access to its state
-             * directory, log, and PID files.
+             * directory (state files and fsync on dir), log, and PID files.
              */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
             virBufferAsprintf(&buf,
                 "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
                 LOCALSTATEDIR, uuidstr, tpmpath);