debian: Add rule to allow usage of /var/tmp directory (QEMU)

QEMU's avocado tests need access to /var/tmp/**. To avoid the following type of AppArmor permissiong failures add a rule that allows access to /var/tmp/**. type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \ operation="mknod" class="file" profile="swtpm" \ name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \ requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \ OUID="stefanb" To run the QEMU avocado test use the following command: make check-avocado \ AVOCADO_TESTS=tests/avocado/machine_aspeed.py:AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Nov 5, 2024 · 313ab52 · 313ab52
1 parent 1982c51
commit 313ab52
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
@@ -4,6 +4,7 @@
 #include <tunables/global>
 
 profile swtpm /usr/bin/swtpm {
+  #include <abstractions/user-tmp>
   #include <abstractions/base>
   #include <abstractions/openssl>