From 82e53fd91980c66bfac7d6000ce59148113480ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 May 2022 18:12:07 +0100 Subject: [PATCH] feat(profiles): add swtpm, swtpm_localca and swtpm_setup. --- apparmor.d/profiles-s-z/swtpm | 26 +++++++++++++++++++++ apparmor.d/profiles-s-z/swtpm_localca | 33 +++++++++++++++++++++++++++ apparmor.d/profiles-s-z/swtpm_setup | 30 ++++++++++++++++++++++++ dists/flags/main.flags | 4 ++++ 4 files changed, 93 insertions(+) create mode 100644 apparmor.d/profiles-s-z/swtpm create mode 100644 apparmor.d/profiles-s-z/swtpm_localca create mode 100644 apparmor.d/profiles-s-z/swtpm_setup diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm new file mode 100644 index 00000000..acbeffb7 --- /dev/null +++ b/apparmor.d/profiles-s-z/swtpm @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/swtpm +profile swtpm @{exec_path} { + include + + @{exec_path} mr, + + /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, + + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + + /tmp/.swtpm_setup.pidfile.* rw, + + @{run}/libvirt/qemu/swtpm/*.sock w, + @{run}/libvirt/qemu/swtpm/*.pid w, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca new file mode 100644 index 00000000..59fae73c --- /dev/null +++ b/apparmor.d/profiles-s-z/swtpm_localca @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/swtpm_localca +profile swtpm_localca @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/certtool rix, + /{usr/,}bin/swtpm_cert rix, + + /etc/swtpm-localca.conf r, + /etc/swtpm-localca.options r, + + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + + /var/lib/swtpm-localca/*.pem r, + /var/lib/swtpm-localca/.lock.swtpm-localca rwk, + /var/lib/swtpm-localca/certserial rw, + + /tmp/swtpm_setup.certs.*/*.cert rw, + + @{run}/libvirt/qemu/swtpm/*.sock w, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup new file mode 100644 index 00000000..90bebb8b --- /dev/null +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/swtpm_setup +profile swtpm_setup @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/swtpm rPx, + /{usr/,}bin/swtpm_localca rPx, + + /etc/swtpm_setup.conf r, + + /var/log/swtpm/{,**} w, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, + + owner /tmp/swtpm_setup.certs.*/ w, + owner /tmp/.swtpm_setup.pidfile* rw, + + @{run}/systemd/userdb/ r, + + include if exists +} \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a035ef6f..b159123c 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,6 +86,10 @@ ssh complain sshd attach_disconnected,complain su complain sudo complain +swtpm complain +swtpm_ioctl complain +swtpm_localca complain +swtpm_setup complain sysctl complain systemd-analyze complain systemd-ask-password complain