Hmm, ok I expected libvirt to call this e.g. from src/qemu/qemu_tpm.c and I wondered already why it is the guests profile. But since it runs under the guests profile it must be more like "libvirt -> qemu -> ??? -> swtpm_setup" - do you have an example of the call path that you see?
Only once we somewhat understand when/how/why it calls swtpm_setup we can decide to either a) might be called in any config, can't be detected from guest devices, need to add it to TEMPLATE.qemu b) will only be called when configured, have libvirt-aa-helper detect tpm and only then add abstractions/openssl to the guests rules c) is generally safe and not a problem to add (only read access), add it to TEMPLATE.qemu d) is actually not called by qemu but by libvirt, ???? is the reason it is under the guests profile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs