Code review comment for ~lvoytek/ubuntu/+source/swtpm:swtpm-lp1950631-add-apparmor-jammy

> @Lena
> looking at this initial profile also a question about
> include <abstractions/libvirt-qemu>
> Did your experiments end up with a profile very close to this abstraction so
> that you added it?
> Or was this just the assumption that it needs to be used in libvirt/qemu
> scope?
>
> Because that abstraction allows a lot that I'd expect swtpm to not need.
> After all it is more like
>
>
> qemu (does qemu things) - needs abstractions/libvirt-qemu
> ^
> |
> v
> socket
> ^
> |
> v
> swtpm (does swtpm things) does not need abstractions/libvirt-qemu
>
> base, ssl, common used paths, that all LGTM, but the libvirt-qemu abstraction
> I'm not sure.
> Happy to get explained why I'm wrong :-)
>
> I hope this alignment survives, but TL;DR without studying it further the
> abstractions/libvirt-qemu seems too much for swtpm.

That's fair. When building the profile aa-logprof recommended I add it in because swtpm wanted to use multiple permissions from it. In its current state though, when I take the include out and put it in complain mode, it only needs the capability dac_override from it. Do you think it would be better to just add that instead, and should I try to restrict it further?

Thanks!