From: Chris Coulson <chris.coulson@canonical.com>
Date: Tue, 24 Sep 2019 19:25:14 +0000 (+0100)
Subject: security: AppArmor profile fixes for swtpm
X-Git-Tag: v5.8.0-rc1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d660dd95ea91839156eb078710e9d85a2f306ab5;p=thirdparty%2Flibvirt.git

security: AppArmor profile fixes for swtpm

The AppArmor profile generated by virt-aa-helper is too strict for swtpm.
This change contains 2 small fixes:
- Relax append access to swtpm's log file to permit write access instead.
Append access is insufficient because the log is opened with O_CREAT.
- Permit swtpm to acquire a lock on its lock file.

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index ead4eaa236..5853ad985f 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1238,10 +1238,10 @@ get_files(vahControl * ctl)
              * directory, log, and PID files.
              */
             virBufferAsprintf(&buf,
-                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
                 LOCALSTATEDIR, uuidstr, tpmpath);
             virBufferAsprintf(&buf,
-                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
                 LOCALSTATEDIR, ctl->def->name);
             virBufferAsprintf(&buf,
                 "  \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",