[Bug 1992377] Re: Update apparmor profile to match upstream

Lena Voytek 1992377 at bugs.launchpad.net
Fri Apr 21 23:00:04 UTC 2023 

Verified the fix on Jammy with the above Windows 11 test case and by
checking the profile manually:

# lxc launch ubuntu:22.04 test-swtpm
# lxc exec test-swtpm bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install swtpm -y

# cat /etc/apparmor.d/usr.bin.swtpm 
# vim:syntax=apparmor
# AppArmor policy for swtpm
# Author: Lena Voytek <lena.voytek at canonical.com>
# Last Modified: Tue Oct 11 10:53:05 2022

#include <tunables/global>

profile swtpm /usr/bin/swtpm {
  #include <abstractions/base>
  #include <abstractions/openssl>

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.swtpm>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  network inet stream,
  network inet6 stream,
  unix (send) type=dgram addr=none peer=(addr=none),
  unix (send, receive) type=stream addr=none peer=(label=libvirt-*),

  /usr/bin/swtpm rm,

  /tmp/** rwk,
  owner @{HOME}/** rwk,
  owner /var/lib/libvirt/swtpm/** rwk,
  /run/libvirt/qemu/swtpm/*.sock rwk,
  owner /var/log/swtpm/libvirt/qemu/*.log rwk,
  owner /run/libvirt/qemu/swtpm/*.pid rwk,
  owner /dev/vtpmx rw,
  owner /etc/nsswitch.conf r,
  owner /var/lib/swtpm/** rwk,
  owner /run/swtpm/sock rw,
}

** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377

Title:
  Update apparmor profile to match upstream

Status in swtpm:
  Unknown
Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Fix Committed
Status in swtpm source package in Kinetic:
  Fix Released

Bug description:
  [Impact]

  In its current state, swtpm's apparmor profile has a few restrictions that block common use cases for the software. This includes:
   - Use of vtpm proxy
   - Using one's home folder to manage TPM states
   - Some qemu and libvirt interactions in the tmp directory

  Cleaning up these restrictions allows users to run swtpm in these
  common configurations without messing with local apparmor profiles.

  To fix these cases, the swtpm apparmor profile has been updated to
  match upstream. During the process of bringing the Ubuntu version of
  the profile upstream, these issues were found and fixed accordingly.
  More info on these changes can be found here:
  https://github.com/stefanberger/swtpm/pull/691

  [Test Plan]

  The fix can be tested by running swtpm in these situations. The
  following can be used to test using the home folder to manage TPM
  states using a Windows 11 ISO:

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

  [Where problems could occur]

  This change only decreases apparmor restrictions, so users will not be
  blocked by any new rules. However, with less restrictions, swtpm is
  provided with more attack vectors if it were to be compromised. swtpm
  will no longer be blocked in accessing tmp files that are not its own,
  and will have additional abilities to manipulate file permissions. If
  swtpm acted maliciously, it could access and mess with temporary files
  belonging to other programs.

  [Other Info]
   
  This bug has been fixed in kinetic and beyond in version 0.6.3-0ubuntu4.

  [Original Description]

  When a user uses a tpm state directory for swtpm located somewhere in
  their home directory, apparmor will deny the creation of a lock file
  when a qemu vm boots, showing a message such as:

  audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
  operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
  pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  This is due to a missing line in the apparmor profile that has been
  added upstream:

  owner @{HOME}/** rwk,

  To test (using a Windows 11 iso):

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions

More information about the foundations-bugs mailing list