Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2025-08-22 19:04:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
stefanberger/recreate-svn-base-secret
swtpm/debian/usr.bin.swtpm
Stefan Berger 47d37ccba2 debian: Add rules for reading profiles from distro and local dirs 
Allow a user to pass profiles from the distro or local dirs directly
to swtpm. A rule to allow reading profiles from somewhere under the
HOME directory already exists.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2024-10-02 09:35:17 -04:00

46 lines
1.2 KiB
Plaintext
Raw Permalink Blame History

# vim:syntax=apparmor
# AppArmor policy for swtpm
#include <tunables/global>
profile swtpm /usr/bin/swtpm {
#include <abstractions/base>
#include <abstractions/openssl>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.swtpm>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
network inet stream,
network inet6 stream,
unix (send) type=dgram addr=none peer=(addr=none),
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
/usr/bin/swtpm rm,
/run/libvirt/qemu/swtpm/*.pid rwk,
/run/libvirt/qemu/swtpm/*.sock rwk,
/var/lib/libvirt/swtpm/** wk,
/usr/share/swtpm/profiles/*.json r, # distro profiles
/etc/swtpm/profiles/*.json r, # local profiles
/tmp/** rwk,
owner /dev/vtpmx rw,
owner /etc/nsswitch.conf r,
owner /run/swtpm/sock rw,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.pid rwk,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
owner /var/lib/libvirt/swtpm/** rwk,
owner /var/lib/swtpm/** rwk,
owner /var/log/swtpm/libvirt/qemu/*.log rwk,
owner @{HOME}/** rwk,
}
Reference in New Issue View Git Blame Copy Permalink