apparmor: Allow swtpm to use its own apparmor profile

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58527a4377a85ee80c79f6bc99f7dae8..c29168da27e7347a2f0157f12b98386bbac7437b 100644 (file)
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
   audit deny /{var/,}run/qemu/*/*.so w,
 
   # swtpm
-  /{usr/,}bin/swtpm rmix,
+  /{usr/,}bin/swtpm rmpix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
@@ -226,6 +226,7 @@
   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+  unix (send, receive) type=stream addr=none peer=(label=swtpm),
 
   # for gathering information about available host resources
   /sys/devices/system/cpu/ r,

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aad9f41490d813acda646a49d7d4a5b9..886f1ad51833392ede2097e5003d7cc934ec7042 100644 (file)
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   ptrace (read,trace) peer=dnsmasq,
   ptrace (read,trace) peer=/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=libvirt-*,
+  ptrace (read,trace) peer=swtpm,
 
   signal (send) peer=dnsmasq,
   signal (send) peer=/usr/sbin/dnsmasq,