[swtpm] Change permissions for cert dir user access

5 files changed, 25 insertions, 2 deletions

diff --git a/core/modules/libvirt-src/module.build b/core/modules/libvirt-src/module.build
index 936255cb..2b380cb3 100644
--- a/core/modules/libvirt-src/module.build
+++ b/core/modules/libvirt-src/module.build
@@ -4,11 +4,15 @@ LIBVIRT_QEMU_USR="libvirt-qemu"
 LIBVIRT_QEMU_GRP="kvm"
 LIBVIRT_PTHR_GRP="libvirt-passthrough"
 
+# group to access software TPM module
+# group is already created by swtpm module
+LIBVIRT_STPM_GRP="libvirt-tpm"
+
 module_init() {
 	groupadd --system "${LIBVIRT_QEMU_GRP}"
 	groupadd --system "${LIBVIRT_QEMU_USR}"
 	groupadd --system "${LIBVIRT_PTHR_GRP}"
-	useradd --gid "${LIBVIRT_QEMU_GRP}" --groups "${LIBVIRT_QEMU_USR},${LIBVIRT_PTHR_GRP}" --system \
+	useradd --gid "${LIBVIRT_QEMU_GRP}" --groups "${LIBVIRT_QEMU_USR},${LIBVIRT_PTHR_GRP},${LIBVIRT_STPM_GRP}" --system \
 		--no-create-home --home-dir "/var/lib/libvirt" "${LIBVIRT_QEMU_USR}"
 }
 
diff --git a/core/modules/libvirt-src/module.conf b/core/modules/libvirt-src/module.conf
index 32c95e48..e3f78eb5 100644
--- a/core/modules/libvirt-src/module.conf
+++ b/core/modules/libvirt-src/module.conf
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+REQUIRED_MODULES="
+        swtpm
+"
+
 REQUIRED_GIT="
 	https://gitlab.com/libvirt/libvirt.git||v7.7.0
 "
diff --git a/core/modules/libvirt/data/opt/openslx/pam/hooks/auth-final-exec.d/46-add-to-libvirt-tpm.sh b/core/modules/libvirt/data/opt/openslx/pam/hooks/auth-final-exec.d/46-add-to-libvirt-tpm.sh
new file mode 100755
index 00000000..2ccec616
--- /dev/null
+++ b/core/modules/libvirt/data/opt/openslx/pam/hooks/auth-final-exec.d/46-add-to-libvirt-tpm.sh
@@ -0,0 +1,5 @@
+#!/bin/ash
+
+adduser "${PAM_USER}" "libvirt-tpm"
+
+exit 0
diff --git a/core/modules/libvirt/module.conf b/core/modules/libvirt/module.conf
index 68ca993a..11090887 100644
--- a/core/modules/libvirt/module.conf
+++ b/core/modules/libvirt/module.conf
@@ -2,7 +2,6 @@
 
 REQUIRED_MODULES="
 	libvirt-src
-	swtpm
 "
 
 REQUIRED_BINARIES=""
diff --git a/core/modules/swtpm/module.build b/core/modules/swtpm/module.build
index 0d4264b4..6157017f 100644
--- a/core/modules/swtpm/module.build
+++ b/core/modules/swtpm/module.build
@@ -1,4 +1,11 @@
 #!/bin/bash
+
+LIBVIRT_STPM_GRP="libvirt-tpm"
+
+module_init() {
+        groupadd --system "${LIBVIRT_STPM_GRP}"
+}
+
 fetch_source() {
 	autoclone
 }
@@ -61,6 +68,10 @@ build() {
 	make || perror "'make' failed."
 	DESTDIR="${DSTDIR}" make install || perror "'make install' failed."
 
+	# change group and permissions for libvirt-tpm members
+	chgrp "${LIBVIRT_STPM_GRP}" /var/lib/swtpm-localca
+	chmod 775 /var/lib/swtpm-localca
+
 	rm "${SRCDIR_BIN}/pkg-config"
 
 	# restore old environment so that following pkg-config calls are not modified