apparmor: Allow SGX if configured

If SGX memory model is configured for domain then we need to
allow QEMU access some additional files:

  1) /dev/sgx_vepc needs to be RW
  2) /dev/sgx_provision needs to be RO

We already do this in SELinux driver but not in AppArmor.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/751

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1626d5a89c134c79879661b46e577b6a50fd72b6..c255b64f35dd29dc20826f5661f547d4f16fcb94 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1152,9 +1152,15 @@ get_files(vahControl * ctl)
             if (vah_add_file(&buf, mem->source.virtio_pmem.path, "rw") != 0)
                 goto cleanup;
             break;
+        case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+            if (vah_add_file(&buf, DEV_SGX_VEPC, "rw") != 0 ||
+                vah_add_file(&buf, DEV_SGX_PROVISION, "r") != 0) {
+                goto cleanup;
+            }
+            break;
+
         case VIR_DOMAIN_MEMORY_MODEL_DIMM:
         case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-        case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
         case VIR_DOMAIN_MEMORY_MODEL_NONE:
         case VIR_DOMAIN_MEMORY_MODEL_LAST:
             break;