]>
Commit | Line | Data |
---|---|---|
3d2747a1 LV |
1 | # vim:syntax=apparmor |
2 | # AppArmor policy for swtpm | |
3 | ||
4 | #include <tunables/global> | |
5 | ||
6 | profile swtpm /usr/bin/swtpm { | |
7 | #include <abstractions/base> | |
8 | #include <abstractions/openssl> | |
9 | ||
10 | # Site-specific additions and overrides. See local/README for details. | |
11 | #include <local/usr.bin.swtpm> | |
12 | ||
13 | capability chown, | |
14 | capability dac_override, | |
15 | capability dac_read_search, | |
16 | capability fowner, | |
17 | capability fsetid, | |
18 | capability setgid, | |
19 | capability setuid, | |
20 | ||
21 | network inet stream, | |
22 | network inet6 stream, | |
23 | unix (send) type=dgram addr=none peer=(addr=none), | |
24 | unix (send, receive) type=stream addr=none peer=(label=libvirt-*), | |
25 | ||
26 | /usr/bin/swtpm rm, | |
27 | ||
28 | /tmp/** rwk, | |
29 | owner @{HOME}/** rwk, | |
30 | owner /var/lib/libvirt/swtpm/** rwk, | |
31 | /run/libvirt/qemu/swtpm/*.sock rwk, | |
32 | owner /var/log/swtpm/libvirt/qemu/*.log rwk, | |
33 | owner /run/libvirt/qemu/swtpm/*.pid rwk, | |
34 | owner /dev/vtpmx rw, | |
35 | owner /etc/nsswitch.conf r, | |
36 | owner /var/lib/swtpm/** rwk, | |
37 | owner /run/swtpm/sock rw, | |
38 | } |