From: Lena Voytek <lena.voytek@canonical.com>
Date: Wed, 13 Apr 2022 21:21:19 +0000 (-0700)
Subject: apparmor: Allow swtpm to use its own apparmor profile
X-Git-Tag: v8.3.0-rc1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d97f8807d28ded3cc704ca545a3c896fbc161263;p=thirdparty%2Flibvirt.git

apparmor: Allow swtpm to use its own apparmor profile

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
---

diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 250ba4ea58..c29168da27 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -180,7 +180,7 @@
   audit deny /{var/,}run/qemu/*/*.so w,
 
   # swtpm
-  /{usr/,}bin/swtpm rmix,
+  /{usr/,}bin/swtpm rmpix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
@@ -226,6 +226,7 @@
   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+  unix (send, receive) type=stream addr=none peer=(label=swtpm),
 
   # for gathering information about available host resources
   /sys/devices/system/cpu/ r,
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index f2ab6ff2aa..886f1ad518 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -58,6 +58,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   ptrace (read,trace) peer=dnsmasq,
   ptrace (read,trace) peer=/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=libvirt-*,
+  ptrace (read,trace) peer=swtpm,
 
   signal (send) peer=dnsmasq,
   signal (send) peer=/usr/sbin/dnsmasq,