apparmor profile: adapt state file locations PVE supports

we can have them as standard file (*most* of the time that would be
in /var/lib/vz or /mnt/pve/**), as LV/RBD in /dev or as zfs volume
anywhere, so basically we need to cut the profile in scope a lot and
allow write access in any place of the FS hierarchy for now (we plan
to have a mount namspace where we bind mount VM disk/state into in
the long term).

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
index 44835127193bc683995fa13911393d53faa1259c..7f9618f1152daa7479915e9e623455c638daadc4 100644 (file)
--- a/debian/usr.bin.swtpm
+++ b/debian/usr.bin.swtpm
@@ -25,14 +25,6 @@ profile swtpm /usr/bin/swtpm {
 
   /usr/bin/swtpm rm,
 
-  /tmp/** rwk,
-  owner @{HOME}/** rwk,
-  owner /var/lib/libvirt/swtpm/** rwk,
-  /run/libvirt/qemu/swtpm/*.sock rwk,
-  owner /var/log/swtpm/libvirt/qemu/*.log rwk,
-  owner /run/libvirt/qemu/swtpm/*.pid rwk,
-  owner /dev/vtpmx rw,
-  owner /etc/nsswitch.conf r,
-  owner /var/lib/swtpm/** rwk,
-  owner /run/swtpm/sock rw,
+  # Proxmox VE allow to save states on many possible locations, so allow everything for now.
+  /** rwk,
 }