[Bug 1989100] Re: AppArmor DENIES swtpm pid file access
Launchpad Bug Tracker
1989100 at bugs.launchpad.net
Sun Nov 27 10:34:25 UTC 2022
This bug was fixed in the package swtpm - 0.6.3-0ubuntu5
---------------
swtpm (0.6.3-0ubuntu5) lunar; urgency=medium
* d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
files that it does not own (LP: #1989100)
-- Lena Voytek <lena.voytek at canonical.com> Mon, 24 Oct 2022 10:52:06
-0700
** Changed in: swtpm (Ubuntu Lunar)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100
Title:
AppArmor DENIES swtpm pid file access
Status in swtpm:
Unknown
Status in libvirt package in Ubuntu:
Confirmed
Status in swtpm package in Ubuntu:
Fix Released
Status in libvirt source package in Kinetic:
Confirmed
Status in swtpm source package in Kinetic:
In Progress
Status in libvirt source package in Lunar:
Confirmed
Status in swtpm source package in Lunar:
Fix Released
Bug description:
[Impact]
When attempting to set up a vm with libvirt using swtpm in Kinetic,
swtpm's apparmor profile will deny access to the pid file in
/run/libvirt/qemu/swtpm/.
The fix for this issue should be backported to Kinetic because it
blocks all users attempting to set up a libvirt TPM vm with an error.
This bug is fixed by removing the "owner" tag from the line "owner
/run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files
to be used.
[Test Plan]
The fix can be tested using virt-manager and an os using TPM:
# sudo apt update && sudo apt dist-upgrade -y
# sudo apt install virt-manager swtpm
Create a vm in virt-manager and on the last page
> Select "Customize configuration before install"
> Click Finish
> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0
> Click "Begin Installation"
[Where problems could occur]
By removing the owner tag in line in the apparmor profile, any file
with a .pid extension in /run/libvirt/qemu/swtpm/ will be
manipulatable by swtpm. If swtpm were to act maliciously, it would
have an overall greater reach in this folder.
[Original Description]
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that
ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
operation="file_inherit" profile="swtpm"
name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of
virt-install, I can dig that out.
To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1989100/+subscriptions
More information about the foundations-bugs
mailing list