Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-01-27 03:14:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
54864ccc0e
swtpm/debian/usr.bin.swtpm
Lena Voytek 3d2747a1be debian: Add swtpm apparmor profile 
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
2022-05-05 20:58:30 -04:00

39 lines
957 B
Plaintext
Raw Blame History

# vim:syntax=apparmor
# AppArmor policy for swtpm
#include <tunables/global>
profile swtpm /usr/bin/swtpm {
#include <abstractions/base>
#include <abstractions/openssl>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.swtpm>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
unix (send) type=dgram addr=none peer=(addr=none),
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
/usr/bin/swtpm rm,
/tmp/** rwk,
owner @{HOME}/** rwk,
owner /var/lib/libvirt/swtpm/** rwk,
/run/libvirt/qemu/swtpm/*.sock rwk,
owner /var/log/swtpm/libvirt/qemu/*.log rwk,
owner /run/libvirt/qemu/swtpm/*.pid rwk,
owner /dev/vtpmx rw,
owner /etc/nsswitch.conf r,
owner /var/lib/swtpm/** rwk,
owner /run/swtpm/sock rw,
}
Reference in New Issue View Git Blame Copy Permalink