mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-22 10:30:52 +00:00
cc52b200b0
QEMU's functional tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.
type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
operation="mknod" class="file" profile="swtpm" \
name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
OUID="stefanb"
[ To run the QEMU's functional tests use the following command:
make check-functional ]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
47 lines
1.2 KiB
Plaintext
47 lines
1.2 KiB
Plaintext
# vim:syntax=apparmor
|
|
# AppArmor policy for swtpm
|
|
|
|
#include <tunables/global>
|
|
|
|
profile swtpm /usr/bin/swtpm {
|
|
#include <abstractions/user-tmp>
|
|
#include <abstractions/base>
|
|
#include <abstractions/openssl>
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.bin.swtpm>
|
|
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability fsetid,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_admin,
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
unix (send) type=dgram addr=none peer=(addr=none),
|
|
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
|
|
|
|
/usr/bin/swtpm rm,
|
|
|
|
/run/libvirt/qemu/swtpm/*.pid rwk,
|
|
/run/libvirt/qemu/swtpm/*.sock rwk,
|
|
/var/lib/libvirt/swtpm/** wk,
|
|
/usr/share/swtpm/profiles/*.json r, # distro profiles
|
|
/etc/swtpm/profiles/*.json r, # local profiles
|
|
/tmp/** rwk,
|
|
|
|
owner /dev/vtpmx rw,
|
|
owner /etc/nsswitch.conf r,
|
|
owner /run/swtpm/sock rw,
|
|
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.pid rwk,
|
|
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
|
|
owner /var/lib/libvirt/swtpm/** rwk,
|
|
owner /var/lib/swtpm/** rwk,
|
|
owner /var/log/swtpm/libvirt/qemu/*.log rwk,
|
|
owner @{HOME}/** rwk,
|
|
}
|