1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH v9 00/17] Add support for TPM emulator
  4. View patch

[libvirt] [PATCH v9 13/17] security: Add swtpm paths to the domain's AppArmor profile

Stefan Berger posted 17 patches 6 years, 11 months ago
[libvirt] [PATCH v9 13/17] security: Add swtpm paths to the domain's AppArmor profile
Posted by Stefan Berger 6 years, 11 months ago 
This patch extends the AppArmor domain profile with file paths
the swtpm accesses for state, log, pid, and socket files.

Both, QEMU and swtpm, use this AppArmor profile.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 examples/apparmor/libvirt-qemu |  3 +++
 src/security/virt-aa-helper.c  | 45 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index 2c47652250..854729d0ae 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -158,6 +158,9 @@
   /usr/{lib,lib64}/qemu/*.so mr,
   /usr/lib/@{multiarch}/qemu/*.so mr,
 
+  # swtpm
+  /usr/bin/swtpm rmix,
+
   # for save and resume
   /{usr/,}bin/dash rmix,
   /{usr/,}bin/dd rmix,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index d0f9876da5..7a6fb31e9a 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1185,6 +1185,51 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (ctl->def->tpm) {
+        char *shortName = NULL;
+        const char *tpmpath = NULL;
+
+        switch (ctl->def->tpm->type) {
+        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+            shortName = virDomainDefGetShortName(ctl->def);
+
+            switch (ctl->def->tpm->version) {
+            case VIR_DOMAIN_TPM_VERSION_1_2:
+                tpmpath = "tpm1.2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_2_0:
+                tpmpath = "tpm2";
+                break;
+            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
+            case VIR_DOMAIN_TPM_VERSION_LAST:
+                break;
+            }
+
+            /* Unix socket for QEMU and swtpm to use */
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
+                shortName);
+            /* Paths for swtpm to use: give it access to its state
+             * directory, log, and PID files.
+             */
+            virBufferAsprintf(&buf,
+                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
+                LOCALSTATEDIR, uuidstr, tpmpath);
+            virBufferAsprintf(&buf,
+                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
+                LOCALSTATEDIR, ctl->def->name);
+            virBufferAsprintf(&buf,
+                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
+                shortName);
+
+            VIR_FREE(shortName);
+            break;
+        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        case VIR_DOMAIN_TPM_TYPE_LAST:
+            break;
+        }
+    }
+
     if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
         for (i = 0; i < ctl->def->nnets; i++) {
             virDomainNetDefPtr net = ctl->def->nets[i];
-- 
2.14.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v9 13/17] security: Add swtpm paths to the domain's AppArmor profile
Posted by Stefan Berger 6 years, 11 months ago 
On 06/04/2018 11:46 AM, Stefan Berger wrote:
> This patch extends the AppArmor domain profile with file paths
> the swtpm accesses for state, log, pid, and socket files.
>
> Both, QEMU and swtpm, use this AppArmor profile.
>
> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Cc: Christian Ehrhardt <christian.ehrhardt@canonical.com>

After the recent changes I had made to it, I didn't think it was 
appropriate to take the Reviewed-by. Can someone have a (quick) look?

    Stefan

> ---
>   examples/apparmor/libvirt-qemu |  3 +++
>   src/security/virt-aa-helper.c  | 45 ++++++++++++++++++++++++++++++++++++++++++
>   2 files changed, 48 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index 2c47652250..854729d0ae 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -158,6 +158,9 @@
>     /usr/{lib,lib64}/qemu/*.so mr,
>     /usr/lib/@{multiarch}/qemu/*.so mr,
>
> +  # swtpm
> +  /usr/bin/swtpm rmix,
> +
>     # for save and resume
>     /{usr/,}bin/dash rmix,
>     /{usr/,}bin/dd rmix,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index d0f9876da5..7a6fb31e9a 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -1185,6 +1185,51 @@ get_files(vahControl * ctl)
>           }
>       }
>
> +    if (ctl->def->tpm) {
> +        char *shortName = NULL;
> +        const char *tpmpath = NULL;
> +
> +        switch (ctl->def->tpm->type) {
> +        case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> +            shortName = virDomainDefGetShortName(ctl->def);
> +
> +            switch (ctl->def->tpm->version) {
> +            case VIR_DOMAIN_TPM_VERSION_1_2:
> +                tpmpath = "tpm1.2";
> +                break;
> +            case VIR_DOMAIN_TPM_VERSION_2_0:
> +                tpmpath = "tpm2";
> +                break;
> +            case VIR_DOMAIN_TPM_VERSION_DEFAULT:
> +            case VIR_DOMAIN_TPM_VERSION_LAST:
> +                break;
> +            }
> +
> +            /* Unix socket for QEMU and swtpm to use */
> +            virBufferAsprintf(&buf,
> +                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
> +                shortName);
> +            /* Paths for swtpm to use: give it access to its state
> +             * directory, log, and PID files.
> +             */
> +            virBufferAsprintf(&buf,
> +                "  \"%s/lib/libvirt/swtpm/%s/%s/**\" rw,\n",
> +                LOCALSTATEDIR, uuidstr, tpmpath);
> +            virBufferAsprintf(&buf,
> +                "  \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" a,\n",
> +                LOCALSTATEDIR, ctl->def->name);
> +            virBufferAsprintf(&buf,
> +                "  \"/run/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
> +                shortName);
> +
> +            VIR_FREE(shortName);
> +            break;
> +        case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
> +        case VIR_DOMAIN_TPM_TYPE_LAST:
> +            break;
> +        }
> +    }
> +
>       if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>           for (i = 0; i < ctl->def->nnets; i++) {
>               virDomainNetDefPtr net = ctl->def->nets[i];


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.