[Bug 1992377] Re: Apparmor denies writing to swtpm lock file in user's home directory
Lena Voytek
1992377 at bugs.launchpad.net
Wed Nov 16 19:16:17 UTC 2022
Going over this bug again, there are some different requirements for it
to be fixed compared to LP: #1989100. As such I'm removing duplicate
status for now
** Tags removed: server-todo
** This bug is no longer a duplicate of bug 1989100
AppArmor DENIES swtpm pid file access
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377
Title:
Apparmor denies writing to swtpm lock file in user's home directory
Status in swtpm:
Unknown
Status in swtpm package in Ubuntu:
Fix Released
Status in swtpm source package in Jammy:
Triaged
Status in swtpm source package in Kinetic:
Fix Released
Bug description:
When a user uses a tpm state directory for swtpm located somewhere in
their home directory, apparmor will deny the creation of a lock file
when a qemu vm boots, showing a message such as:
audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
This is due to a missing line in the apparmor profile that has been
added upstream:
owner @{HOME}/** rwk,
To test (using a Windows 11 iso):
$ sudo apt install swtpm qemu-kvm
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir ~/tpmstatedir
$ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso
To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions
More information about the foundations-bugs
mailing list