From e9dfe887404fe73038890d5af0baa9bf432d93e1 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 22 Nov 2025 20:26:39 +0000
Subject: [PATCH] apparmor: add support for mkosi integration working directory

mkosi integrates with swtpm to automatically set up and build
VMs with vTPM support. The working directory is in an ephemeral
namespace that appears as /work/tmp/, and apparmor stops swtpm
from creating the local state files (lockfile, etc).
Add a policy entry to allow this to work.

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
---
 debian/usr.bin.swtpm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
index a6e8a62..6676758 100644
--- a/debian/usr.bin.swtpm
+++ b/debian/usr.bin.swtpm
@@ -33,6 +33,8 @@ profile swtpm /usr/bin/swtpm {
   /usr/share/swtpm/profiles/*.json r,  # distro profiles
   /etc/swtpm/profiles/*.json r,        # local profiles
   /tmp/** rwk,
+  # For mkosi integration https://github.com/systemd/mkosi
+  /work/tmp/** rwk,
 
   owner /dev/vtpmx rw,
   owner /etc/nsswitch.conf r,