[Bug 1989100] Re: AppArmor DENIES swtpm pid file access

Sun Nov 27 10:34:25 UTC 2022

This bug was fixed in the package swtpm - 0.6.3-0ubuntu5

---------------
swtpm (0.6.3-0ubuntu5) lunar; urgency=medium

  * d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
    files that it does not own (LP: #1989100)

 -- Lena Voytek <lena.voytek at canonical.com>  Mon, 24 Oct 2022 10:52:06
-0700

** Changed in: swtpm (Ubuntu Lunar)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100

Title:
  AppArmor DENIES swtpm pid file access

Status in swtpm:
  Unknown
Status in libvirt package in Ubuntu:
  Confirmed
Status in swtpm package in Ubuntu:
  Fix Released
Status in libvirt source package in Kinetic:
  Confirmed
Status in swtpm source package in Kinetic:
  In Progress
Status in libvirt source package in Lunar:
  Confirmed
Status in swtpm source package in Lunar:
  Fix Released

Bug description:
  [Impact]

  When attempting to set up a vm with libvirt using swtpm in Kinetic,
  swtpm's apparmor profile will deny access to the pid file in
  /run/libvirt/qemu/swtpm/.

  The fix for this issue should be backported to Kinetic because it
  blocks all users attempting to set up a libvirt TPM vm with an error.

  This bug is fixed by removing the "owner" tag from the line "owner
  /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files
  to be used.

  [Test Plan]

  The fix can be tested using virt-manager and an os using TPM:

  # sudo apt update && sudo apt dist-upgrade -y
  # sudo apt install virt-manager swtpm

  Create a vm in virt-manager and on the last page

  > Select "Customize configuration before install"
  > Click Finish

  > Click Add Hardware
  > Select TPM with Model "TIS" and version 2.0

  > Click "Begin Installation"

  [Where problems could occur]

  By removing the owner tag in line in the apparmor profile, any file
  with a .pid extension in /run/libvirt/qemu/swtpm/ will be
  manipulatable by swtpm. If swtpm were to act maliciously, it would
  have an overall greater reach in this folder.

  [Original Description]

  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  One of our CI tests runs virt-install in a specific way that
  ultimately fails with this in the error message:

      ERROR internal error: Could not get process id of swtpm

  The journal has this message:

      audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
  operation="file_inherit" profile="swtpm"
  name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
  comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0

  This is nested virtualization. If you need the exact invocation of
  virt-install, I can dig that out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1989100/+subscriptions