security: AppArmor profile fixes for swtpm

The AppArmor profile generated by virt-aa-helper is too strict for swtpm. This change contains 2 small fixes: - Relax append access to swtpm's log file to permit write access instead. Append access is insufficient because the log is opened with O_CREAT. - Permit swtpm to acquire a lock on its lock file. Signed-off-by: N Chris Coulson <chris.coulson@canonical.com> Reviewed-by: N Michal Privoznik <mprivozn@redhat.com>

security: AppArmor profile fixes for swtpm
The AppArmor profile generated by virt-aa-helper is too strict for swtpm. This change contains 2 small fixes: - Relax append access to swtpm's log file to permit write access instead. Append access is insufficient because the log is opened with O_CREAT. - Permit swtpm to acquire a lock on its lock file. Signed-off-by: N Chris Coulson <chris.coulson@canonical.com> Reviewed-by: N Michal Privoznik <mprivozn@redhat.com>
d660dd95 · Chris Coulson · Michal Privoznik · 6ffb8fff · d660dd95
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +2 -2

未找到文件。
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1238,10 +1238,10 @@ get_files(vahControl * ctl)
             * directory, log, and PID files.
             */
            virBufferAsprintf(&buf,
-                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
                LOCALSTATEDIR, uuidstr, tpmpath);
            virBufferAsprintf(&buf,
-                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
                LOCALSTATEDIR, ctl->def->name);
            virBufferAsprintf(&buf,
                "  \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",