2 # AppArmor policy for swtpm
4 #include <tunables/global>
6 profile swtpm /usr/bin/swtpm {
7 #include <abstractions/base>
8 #include <abstractions/openssl>
10 # Site-specific additions and overrides. See local/README for details.
11 #include <local/usr.bin.swtpm>
14 capability dac_override,
15 capability dac_read_search,
23 unix (send) type=dgram addr=none peer=(addr=none),
24 unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
30 owner /var/lib/libvirt/swtpm/** rwk,
31 /run/libvirt/qemu/swtpm/*.sock rwk,
32 owner /var/log/swtpm/libvirt/qemu/*.log rwk,
33 owner /run/libvirt/qemu/swtpm/*.pid rwk,
35 owner /etc/nsswitch.conf r,
36 owner /var/lib/swtpm/** rwk,
37 owner /run/swtpm/sock rw,