Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-01-14 03:44:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e9dfe88740
swtpm/debian/usr.bin.swtpm
Luca Boccassi e9dfe88740 apparmor: add support for mkosi integration working directory 
mkosi integrates with swtpm to automatically set up and build
VMs with vTPM support. The working directory is in an ephemeral
namespace that appears as /work/tmp/, and apparmor stops swtpm
from creating the local state files (lockfile, etc).
Add a policy entry to allow this to work.

Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com>
2025-11-30 10:28:09 -05:00

49 lines
1.3 KiB
Plaintext
Raw Blame History

# vim:syntax=apparmor
# AppArmor policy for swtpm
#include <tunables/global>
profile swtpm /usr/bin/swtpm {
#include <abstractions/user-tmp>
#include <abstractions/base>
#include <abstractions/openssl>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.swtpm>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
capability sys_admin,
network inet stream,
network inet6 stream,
unix (send) type=dgram addr=none peer=(addr=none),
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
/usr/bin/swtpm rm,
/run/libvirt/qemu/swtpm/*.pid rwk,
/run/libvirt/qemu/swtpm/*.sock rwk,
/var/lib/libvirt/swtpm/** wk,
/usr/share/swtpm/profiles/*.json r, # distro profiles
/etc/swtpm/profiles/*.json r, # local profiles
/tmp/** rwk,
# For mkosi integration https://github.com/systemd/mkosi
/work/tmp/** rwk,
owner /dev/vtpmx rw,
owner /etc/nsswitch.conf r,
owner /run/swtpm/sock rw,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.pid rwk,
owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
owner /var/lib/libvirt/swtpm/** rwk,
owner /var/lib/swtpm/** rwk,
owner /var/log/swtpm/libvirt/qemu/*.log rwk,
owner @{HOME}/** rwk,
}
Reference in New Issue View Git Blame Copy Permalink