1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH v8 00/18] Add support for TPM emulator (for 4.5)
  4. View patch

[libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile

Stefan Berger posted 18 patches 6 years, 11 months ago
[libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Posted by Stefan Berger 6 years, 11 months ago 
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.

Both, QEMU and swtpm, use this AppArmor profile.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu |  3 +++
 src/security/virt-aa-helper.c  | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 2c47652250..854729d0ae 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,9 @@
   /usr/{lib,lib64}/qemu/*.so mr,
   /usr/lib/@{multiarch}/qemu/*.so mr,
 
+  # swtpm
+  /usr/bin/swtpm rmix,
+
   # for save and resume
   /{usr/,}bin/dash rmix,
   /{usr/,}bin/dd rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d0f9876da5..6ee436e66c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (ctl->def->tpm) {
+        char *shortName = virDomainDefGetShortName(ctl->def);
+        switch (ctl->def->tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            virBufferAsprintf(&buf,
+                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\" x,\n",
+                LOCALSTATEDIR, shortName);
+            /* paths for swtpm to use */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
+                LOCALSTATEDIR, uuidstr);
+            virBufferAsprintf(&buf,
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" rw,\n",
+                LOCALSTATEDIR, shortName);
+            virBufferAsprintf(&buf,
+                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+                LOCALSTATEDIR, shortName);
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
     if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
         for (i = 0; i < ctl->def->nnets; i++) {
             virDomainNetDefPtr net = ctl->def->nets[i];
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Posted by Ján Tomko 6 years, 11 months ago 
On Thu, May 24, 2018 at 04:26:09PM -0400, Stefan Berger wrote:
>This patch extends the AppArmor domain profile with file paths
>the swtpm accesses for state, log, pid, and socket files.
>
>Both, QEMU and swtpm, use this AppArmor profile.
>
>Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
>Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>---
> examples/apparmor/libvirt-qemu |  3 +++
> src/security/virt-aa-helper.c  | 24 ++++++++++++++++++++++++
> 2 files changed, 27 insertions(+)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Posted by Stefan Berger 6 years, 11 months ago 
On 06/02/2018 09:32 AM, Ján Tomko wrote:
> On Thu, May 24, 2018 at 04:26:09PM -0400, Stefan Berger wrote:
>> This patch extends the AppArmor domain profile with file paths
>> the swtpm accesses for state, log, pid, and socket files.
>>
>> Both, QEMU and swtpm, use this AppArmor profile.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
>> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>> ---
>> examples/apparmor/libvirt-qemu |  3 +++
>> src/security/virt-aa-helper.c  | 24 ++++++++++++++++++++++++
>> 2 files changed, 27 insertions(+)
>>
>
> Reviewed-by: Ján Tomko <jtomko@redhat.com>
>
For this one I will have to post an update...
> Jano


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v8 13/18] security: Add swtpm paths to the domain's AppArmor profile
Posted by Stefan Berger 6 years, 11 months ago 
On 05/24/2018 04:26 PM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>   examples/apparmor/libvirt-qemu |  3 +++
>   src/security/virt-aa-helper.c  | 24 ++++++++++++++++++++++++
>   2 files changed, 27 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 2c47652250..854729d0ae 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,9 @@
>     /usr/{lib,lib64}/qemu/*.so mr,
>     /usr/lib/@{multiarch}/qemu/*.so mr,
>
> +  # swtpm
> +  /usr/bin/swtpm rmix,
> +
>     # for save and resume
>     /{usr/,}bin/dash rmix,
>     /{usr/,}bin/dd rmix,

I cannot get the existing AppArmor profiles in examples/apparmor to 
work. So this is an addition that I would anticipate that it is 
necessary. Whether this plus the extensions to virt-aa-helper.c below 
are sufficient is not clear.

> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d0f9876da5..6ee436e66c 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1185,6 +1185,30 @@ get_files(vahControl * ctl)
>           }
>       }
>
> +    if (ctl->def->tpm) {
> +        char *shortName = virDomainDefGetShortName(ctl->def);
> +        switch (ctl->def->tpm->type) {
> +        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> +            virBufferAsprintf(&buf,
> +                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.sock\" x,\n",
> +                LOCALSTATEDIR, shortName);
> +            /* paths for swtpm to use */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s,tpm2/**\" rw,\n",
> +                LOCALSTATEDIR, uuidstr);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" rw,\n",
> +                LOCALSTATEDIR, shortName);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> +                LOCALSTATEDIR, shortName);
> +            break;
> +        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> +        case VIR_DOMAIN_TPM_TYPE_LAST:
> +            break;
> +        }
> +    }
> +
>       if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>           for (i = 0; i < ctl->def->nnets; i++) {
>               virDomainNetDefPtr net = ctl->def->nets[i];


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.