[Bug 1992377] [NEW] Apparmor denies writing to swtpm lock file in user's home directory

Lena Voytek 1992377 at bugs.launchpad.net
Mon Oct 10 21:50:52 UTC 2022 

Public bug reported:

When a user uses a tpm state directory for swtpm located somewhere in
their home directory, apparmor will deny the creation of a lock file
when a qemu vm boots, showing a message such as:

audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000

This is due to a missing line in the apparmor profile that has been
added upstream:

owner @{HOME}/** rwk,


To test (using a Windows 11 iso):

$ sudo apt install swtpm qemu-kvm
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir ~/tpmstatedir
$ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

** Affects: swtpm
     Importance: Unknown
         Status: Unknown

** Affects: swtpm (Ubuntu)
     Importance: Undecided
     Assignee: Lena Voytek (lvoytek)
         Status: In Progress

** Affects: swtpm (Ubuntu Jammy)
     Importance: Undecided
     Assignee: Lena Voytek (lvoytek)
         Status: New

** Affects: swtpm (Ubuntu Kinetic)
     Importance: Undecided
     Assignee: Lena Voytek (lvoytek)
         Status: In Progress

** Also affects: swtpm (Ubuntu Kinetic)
   Importance: Undecided
       Status: New

** Also affects: swtpm (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Bug watch added: github.com/stefanberger/swtpm/issues #763
   https://github.com/stefanberger/swtpm/issues/763

** Also affects: swtpm via
   https://github.com/stefanberger/swtpm/issues/763
   Importance: Unknown
       Status: Unknown

** Changed in: swtpm (Ubuntu Jammy)
     Assignee: (unassigned) => Lena Voytek (lvoytek)

** Changed in: swtpm (Ubuntu Kinetic)
     Assignee: (unassigned) => Lena Voytek (lvoytek)

** Changed in: swtpm (Ubuntu Kinetic)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377

Title:
  Apparmor denies writing to swtpm lock file in user's home directory

Status in swtpm:
  Unknown
Status in swtpm package in Ubuntu:
  In Progress
Status in swtpm source package in Jammy:
  New
Status in swtpm source package in Kinetic:
  In Progress

Bug description:
  When a user uses a tpm state directory for swtpm located somewhere in
  their home directory, apparmor will deny the creation of a lock file
  when a qemu vm boots, showing a message such as:

  audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
  operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
  pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  This is due to a missing line in the apparmor profile that has been
  added upstream:

  owner @{HOME}/** rwk,

  
  To test (using a Windows 11 iso):

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions

More information about the foundations-bugs mailing list