[Bug 1992377] Re: Apparmor denies writing to swtpm lock file in user's home directory

Lena Voytek 1992377 at bugs.launchpad.net
Wed Nov 16 19:16:17 UTC 2022


Going over this bug again, there are some different requirements for it
to be fixed compared to LP: #1989100. As such I'm removing duplicate
status for now

** Tags removed: server-todo

** This bug is no longer a duplicate of bug 1989100
   AppArmor DENIES swtpm pid file access

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377

Title:
  Apparmor denies writing to swtpm lock file in user's home directory

Status in swtpm:
  Unknown
Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Triaged
Status in swtpm source package in Kinetic:
  Fix Released

Bug description:
  When a user uses a tpm state directory for swtpm located somewhere in
  their home directory, apparmor will deny the creation of a lock file
  when a qemu vm boots, showing a message such as:

  audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
  operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
  pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  This is due to a missing line in the apparmor profile that has been
  added upstream:

  owner @{HOME}/** rwk,

  
  To test (using a Windows 11 iso):

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions




More information about the foundations-bugs mailing list