security: Add swtpm paths to the domain's AppArmor profile

This patch extends the AppArmor domain profile with file paths the swtpm accesses for state, log, pid, and socket files. Both, QEMU and swtpm, use this AppArmor profile. Signed-off-by: N Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>

security: Add swtpm paths to the domain's AppArmor profile
This patch extends the AppArmor domain profile with file paths the swtpm accesses for state, log, pid, and socket files. Both, QEMU and swtpm, use this AppArmor profile. Signed-off-by: N Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
43b0b4f8 · Stefan Berger · f8c65481 · 43b0b4f8 · 43b0b4f8
隐藏空白更改
内联并排

Showing with 50 addition and 0 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +5 -0

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +45 -0

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,11 @@
  /usr/{lib,lib64}/qemu/*.so mr,
  /usr/lib/@{multiarch}/qemu/*.so mr,

+  # swtpm
+  /{usr/,}bin/swtpm rmix,
+  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
  # for save and resume
  /{usr/,}bin/dash rmix,
  /{usr/,}bin/dd rmix,

--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1181,6 +1181,51 @@ get_files(vahControl * ctl)
        }
    }

+    if (ctl->def->tpm) {
+        char *shortName = NULL;
+        const char *tpmpath = NULL;
+
+        switch (ctl->def->tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            shortName = virDomainDefGetShortName(ctl->def);
+
+            switch (ctl->def->tpm->version) {
+            case VIR_DOMAIN_TPM_VERSION_1_2:
+                tpmpath = "tpm1.2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_2_0:
+                tpmpath = "tpm2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
+            case VIR_DOMAIN_TPM_VERSION_LAST:
+                break;
+            }
+
+            /* Unix socket for QEMU and swtpm to use */
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
+                shortName);
+            /* Paths for swtpm to use: give it access to its state
+             * directory, log, and PID files.
+             */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
+            virBufferAsprintf(&buf,
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+                shortName);
+
+            VIR_FREE(shortName);
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
        for (i = 0; i < ctl->def->nnets; i++) {
            virDomainNetDefPtr net = ctl->def->nets[i];