QEMU's functional tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.
type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
operation="mknod" class="file" profile="swtpm" \
name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
OUID="stefanb"
[ To run the QEMU's functional tests use the following command:
make check-functional ]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow a user to pass profiles from the distro or local dirs directly
to swtpm. A rule to allow reading profiles from somewhere under the
HOME directory already exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm sometimes needs to create lock files in subdirectories of
/var/lib/libvirt/swtpm/. Since libvirt sets the owner of these
subdirectories to root, apparmor blocks swtpm's access to this when set to
owner. Add write permissions for lock files without the owner restriction
tothe folder to fix wc denials.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
Some features of swtpm require kernel modules, such as --vtpm-proxy. Fix
apparmor denials related to this by adding capability sys_admin to the apparmor
profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
When running a VM connected to qemu:///session, swtpm needs access to its own
process id and socket files in /run/user/<UID>/libvirt/qemu/run/swtpm/. Add
permissions to access them in the apparmor profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
