Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add apparmor profile for vtpm service #3277

Merged
merged 7 commits into from
Jun 15, 2023
Merged

Add apparmor profile for vtpm service #3277

merged 7 commits into from
Jun 15, 2023

Conversation

shjala
Copy link
Member

@shjala shjala commented Jun 12, 2023

This commit amongst other minor changes, mainly adds apparmor profile for vtpm service and consequently tpm2-tools used by vtpm service.

Confined (sandboxed) vtpm service passed tests from azure-on-eve and eve-tools.

@shjala shjala requested review from eriknordmark and rvs as code owners June 12, 2023 08:01
@shjala
Copy link
Member Author

shjala commented Jun 12, 2023

will fix yetus after review is done.

eriknordmark
eriknordmark reviewed Jun 12, 2023
View reviewed changes
pkg/vtpm/build.yml Outdated Show resolved Hide resolved
@shjala shjala requested a review from eriknordmark June 13, 2023 07:58
eriknordmark
eriknordmark approved these changes Jun 14, 2023
View reviewed changes
Copy link
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add some document specifying the priviledges/access that this container has? I don't know if we can summarize that in a format which would also make sense as we add limitations for other linuxkit containers and for pillar microservices.

We currently don't have a well-define place to put this; maybe a pkg/vtpm/README.md since it would be overkill to add a pkg/vtpm/docs directory I think.

Meanwhile, let's kick off regression tests.

@shjala shjala closed this Jun 15, 2023
@shjala shjala force-pushed the pkg_vtpm_aa branch 2 times, most recently from 8597c5a to 5cadd87 Compare June 15, 2023 09:21
shjala added 7 commits June 15, 2023 09:26
@shjala
rootfs.yml : move apparmor service up
112dfb9 
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
apparmor : copy local profiles to the final container
4282aa7 
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
apparmor : update base abstractions
034b997 
allow loading libraries from "/usr/local/...", this is a rule that is
going to be used by other profiles, so add it to the base abstraction
to avoid repeated copy of the rule in the individual profiles.

Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
apparmor : add profile for vtpm
5c7e41f 
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
apparmor : add profile for tpm2
d6056f7 
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
vtpm : remove capabilities
044146c 
vtpm is running as root an in the initial namespace (not in a userns),
there is no need to grant it capabilities.

Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
aa-profiles : fix typo
86fde45 
Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
@shjala
Copy link
Member Author

shjala commented Jun 15, 2023

git jitters 😅, closed by accident.

@shjala shjala reopened this Jun 15, 2023
@shjala
Copy link
Member Author

shjala commented Jun 15, 2023

Should we add some document specifying the priviledges/access that this container has? I don't know if we can summarize that in a format which would also make sense as we add limitations for other linuxkit containers and for pillar microservices.

We currently don't have a well-define place to put this; maybe a pkg/vtpm/README.md since it would be overkill to add a pkg/vtpm/docs directory I think.

Meanwhile, let's kick off regression tests.

sure, I will add a table listing all accesses and reason behind each.

@eriknordmark
Copy link
Contributor

@shjala Let me merge this now and you can add the docs later.

@eriknordmark eriknordmark merged commit 8f56f27 into lf-edge:master Jun 15, 2023
@shjala shjala deleted the pkg_vtpm_aa branch August 21, 2023 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eriknordmark eriknordmark eriknordmark approved these changes

@rvs rvs Awaiting requested review from rvs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shjala @eriknordmark