Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-01-15 13:57:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d5bfdafdc4
swtpm/debian/usr.bin.swtpm
Lena Voytek 84042ab8b2 debian: Allow non-owner file write access in /var/lib/libvirt/swtpm/ 
swtpm sometimes needs to create lock files in subdirectories of
/var/lib/libvirt/swtpm/. Since libvirt sets the owner of these
subdirectories to root, apparmor blocks swtpm's access to this when set to
owner. Add write permissions for lock files without the owner restriction
tothe folder to fix wc denials.

Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
2024-06-28 15:12:10 -04:00

44 lines
1.1 KiB
Plaintext
Raw Blame History

# vim:syntax=apparmor
# AppArmor policy for swtpm
#include <tunables/global>
profile swtpm /usr/bin/swtpm {
#include <abstractions/base>
#include <abstractions/openssl>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.swtpm>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
network inet stream,
network inet6 stream,
unix (send) type=dgram addr=none peer=(addr=none),
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
/usr/bin/swtpm rm,
/run/libvirt/qemu/swtpm/*.pid rwk,
/run/libvirt/qemu/swtpm/*.sock rwk,
/tmp/** rwk,
/var/lib/libvirt/swtpm/** wk,
owner /dev/vtpmx rw,
owner /etc/nsswitch.conf r,
owner /run/swtpm/sock rw,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.pid rwk,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
owner /var/lib/libvirt/swtpm/** rwk,
owner /var/lib/swtpm/** rwk,
owner /var/log/swtpm/libvirt/qemu/*.log rwk,
owner @{HOME}/** rwk,
}
Reference in New Issue View Git Blame Copy Permalink