vtpm: Run swtpm with an AppArmor profile

stefanberger · stefanberger · commit a54885956afc · 2020-01-03T19:04:49.000Z
Create an AppArmor profile and apply it so that swtpm runs with an AppArmor
profile.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
diff --git a/libcontainer/vtpm/vtpm.go b/libcontainer/vtpm/vtpm.go
@@ -15,6 +15,8 @@ import (
 	"time"
 	"unsafe"
 
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+
 	"github.com/sirupsen/logrus"
 )
 
@@ -53,6 +55,9 @@ type VTPM struct {
 
 	// The minor number of the created device
 	minor uint32
+
+	// The AppArmor profile's full path
+	aaprofile string
 }
 
 // ioctl
@@ -432,6 +437,11 @@ again:
 		return false, err
 	}
 
+	err = vtpm.SetupAppArmor()
+	if err != nil {
+		return false, err
+	}
+
 	tpmname := vtpm.GetTPMDevname()
 	fdstr := fmt.Sprintf("%d", vtpm.fd)
 	tpmstate := fmt.Sprintf("dir=%s", vtpm.StatePath)
@@ -462,6 +472,8 @@ again:
 		return false, err
 	}
 
+	apparmor.ApplyProfileTid("unconfined")
+
 	cmd = exec.Command("swtpm_bios", "-n", "-cs", "-u", "--tpm-device", tpmname)
 	if vtpm.Vtpmversion == VTPM_VERSION_2 {
 		cmd.Args = append(cmd.Args, "--tpm2")
@@ -503,6 +515,8 @@ func (vtpm *VTPM) Stop(deleteStatePath bool) error {
 
 	vtpm.CloseServer()
 
+	vtpm.TeardownAppArmor()
+
 	vtpm.Tpm_dev_num = VTPM_DEV_NUM_INVALID
 
 	if deleteStatePath {
@@ -551,5 +565,82 @@ func (vtpm *VTPM) CloseServer() error {
 		os.NewFile(uintptr(vtpm.fd), "[vtpm]").Close()
 		vtpm.fd = ILLEGAL_FD
 	}
+
+	return nil
+}
+
+// SetupAppArmor creates an apparmor profile for swtpm if AppArmor is enabled and
+// compiles it using apparmor_parser -r <filename> and activates it for the next
+// exec.
+func (vtpm *VTPM) SetupAppArmor() error {
+	var statefilepattern string
+
+	if !apparmor.IsEnabled() {
+		return nil
+	}
+
+	profilename := fmt.Sprintf("runc_%d_swtpm_tpm%d",os.Getpid(), vtpm.GetTPMDevNum())
+	if vtpm.Vtpmversion == VTPM_VERSION_1_2 {
+		statefilepattern = "tpm-00.*"
+	} else {
+		statefilepattern = "tpm2-00.*"
+	}
+
+	profile := fmt.Sprintf("\n#include <tunables/global>\n"+
+		"profile %s {\n"+
+		"  #include <abstractions/base>\n"+
+		"  capability setgid,\n"+
+		"  capability setuid,\n"+
+		"  /dev/tpm[0-9]* rw,\n"+
+		"  owner /etc/group r,\n"+
+		"  owner /etc/nsswitch.conf r,\n"+
+		"  owner /etc/passwd r,\n"+
+		"  %s/.lock wk,\n"+
+		"  %s/swtpm.log w,\n"+
+		"  %s/swtpm.pid rw,\n"+
+		"  %s/%s rw,\n"+
+		"}\n",
+		profilename,
+		vtpm.StatePath,
+		vtpm.StatePath,
+		vtpm.StatePath,
+		vtpm.StatePath,
+		statefilepattern)
+
+	vtpm.aaprofile = path.Join(vtpm.StatePath, "swtpm.apparmor")
+
+	err := ioutil.WriteFile(vtpm.aaprofile, []byte(profile), 0600)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			vtpm.TeardownAppArmor()
+		}
+	}()
+
+	cmd := exec.Command("/sbin/apparmor_parser", "-r", vtpm.aaprofile)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("apparmor_parser -r failed: %s", string(output))
+	}
+
+	err = apparmor.ApplyProfileTid(profilename)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
+
+// TeardownAppArmor removes the AppArmor profile from the system and ensures
+// that the next time the process exec's no swtpm related profile is applied
+func (vtpm *VTPM) TeardownAppArmor() {
+	apparmor.ApplyProfileTid("unconfined")
+	if len(vtpm.aaprofile) > 0 {
+		cmd := exec.Command("/sbin/apparmor_parser", "-R", vtpm.aaprofile)
+		cmd.Run()
+		os.Remove(vtpm.aaprofile)
+		vtpm.aaprofile = ""
+	}
+}
