From 313ab529df190f752ba3daa526afe61a8f13aa13 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 5 Nov 2024 13:09:06 -0500
Subject: [PATCH] debian: Add rule to allow usage of /var/tmp directory (QEMU)

QEMU's avocado tests need access to /var/tmp/**. To avoid the following
type of AppArmor permissiong failures add a rule that allows access to
/var/tmp/**.

 type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
   operation="mknod" class="file" profile="swtpm" \
   name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
   requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
   OUID="stefanb"

To run the QEMU avocado test use the following command:

 make check-avocado \
   AVOCADO_TESTS=tests/avocado/machine_aspeed.py:AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 debian/usr.bin.swtpm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
index cd7f5e8a4..a6e8a6275 100644
--- a/debian/usr.bin.swtpm
+++ b/debian/usr.bin.swtpm
@@ -4,6 +4,7 @@
 #include <tunables/global>
 
 profile swtpm /usr/bin/swtpm {
+  #include <abstractions/user-tmp>
   #include <abstractions/base>
   #include <abstractions/openssl>