[Bug 1989100] Re: AppArmor DENIES swtpm pid file access

Lena Voytek 1989100 at bugs.launchpad.net
Thu Dec 1 18:18:55 UTC 2022 

Verified with the following steps:

$ sudo su
# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
# exit

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install virt-manager swtpm

Created a Windows 11 vm in virt-manager and on the last page added TPM
2.0

Clicked "Begin Installation"

VM started successfully

** Tags removed: verification-needed verification-needed-kinetic
** Tags added: verification-done verification-done-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100

Title:
  AppArmor DENIES swtpm pid file access

Status in swtpm:
  Unknown
Status in libvirt package in Ubuntu:
  Confirmed
Status in swtpm package in Ubuntu:
  Fix Released
Status in libvirt source package in Kinetic:
  Confirmed
Status in swtpm source package in Kinetic:
  Fix Committed
Status in libvirt source package in Lunar:
  Confirmed
Status in swtpm source package in Lunar:
  Fix Released

Bug description:
  [Impact]

  When attempting to set up a vm with libvirt using swtpm in Kinetic,
  swtpm's apparmor profile will deny access to the pid file in
  /run/libvirt/qemu/swtpm/.

  The fix for this issue should be backported to Kinetic because it
  blocks all users attempting to set up a libvirt TPM vm with an error.

  This bug is fixed by removing the "owner" tag from the line "owner
  /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files
  to be used.

  [Test Plan]

  The fix can be tested using virt-manager and an os using TPM:

  # sudo apt update && sudo apt dist-upgrade -y
  # sudo apt install virt-manager swtpm

  Create a vm in virt-manager and on the last page

  > Select "Customize configuration before install"
  > Click Finish

  > Click Add Hardware
  > Select TPM with Model "TIS" and version 2.0

  > Click "Begin Installation"

  [Where problems could occur]

  By removing the owner tag in line in the apparmor profile, any file
  with a .pid extension in /run/libvirt/qemu/swtpm/ will be
  manipulatable by swtpm. If swtpm were to act maliciously, it would
  have an overall greater reach in this folder.

  [Original Description]

  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  One of our CI tests runs virt-install in a specific way that
  ultimately fails with this in the error message:

      ERROR internal error: Could not get process id of swtpm

  The journal has this message:

      audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
  operation="file_inherit" profile="swtpm"
  name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
  comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0

  This is nested virtualization. If you need the exact invocation of
  virt-install, I can dig that out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1989100/+subscriptions

More information about the foundations-bugs mailing list