security: AppArmor profile fixes for swtpm

The AppArmor profile generated by virt-aa-helper is too strict for swtpm.
This change contains 2 small fixes:
- Relax append access to swtpm's log file to permit write access instead.
Append access is insufficient because the log is opened with O_CREAT.
- Permit swtpm to acquire a lock on its lock file.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index ead4eaa236a10c9fdc9af13ef73d3bff40f485de..5853ad985fe17c91af3f1dc39d179f22a1dca5b7 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1238,10 +1238,10 @@ get_files(vahControl * ctl)
              * directory, log, and PID files.
              */
             virBufferAsprintf(&buf,
-                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
                 LOCALSTATEDIR, uuidstr, tpmpath);
             virBufferAsprintf(&buf,
-                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
                 LOCALSTATEDIR, ctl->def->name);
             virBufferAsprintf(&buf,
                 "  \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",