[Bug 1989100] Update Released

Brian Murray 1989100 at bugs.launchpad.net
Tue Jan 10 20:13:32 UTC 2023 

The verification of the Stable Release Update for swtpm has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100

Title:
  AppArmor DENIES swtpm pid file access

Status in swtpm:
  Unknown
Status in libvirt package in Ubuntu:
  Confirmed
Status in swtpm package in Ubuntu:
  Fix Released
Status in libvirt source package in Kinetic:
  Confirmed
Status in swtpm source package in Kinetic:
  Fix Released
Status in libvirt source package in Lunar:
  Confirmed
Status in swtpm source package in Lunar:
  Fix Released

Bug description:
  [Impact]

  When attempting to set up a vm with libvirt using swtpm in Kinetic,
  swtpm's apparmor profile will deny access to the pid file in
  /run/libvirt/qemu/swtpm/.

  The fix for this issue should be backported to Kinetic because it
  blocks all users attempting to set up a libvirt TPM vm with an error.

  This bug is fixed by removing the "owner" tag from the line "owner
  /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files
  to be used.

  [Test Plan]

  The fix can be tested using virt-manager and an os using TPM:

  # sudo apt update && sudo apt dist-upgrade -y
  # sudo apt install virt-manager swtpm

  Create a vm in virt-manager and on the last page

  > Select "Customize configuration before install"
  > Click Finish

  > Click Add Hardware
  > Select TPM with Model "TIS" and version 2.0

  > Click "Begin Installation"

  [Where problems could occur]

  By removing the owner tag in line in the apparmor profile, any file
  with a .pid extension in /run/libvirt/qemu/swtpm/ will be
  manipulatable by swtpm. If swtpm were to act maliciously, it would
  have an overall greater reach in this folder.

  [Original Description]

  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  One of our CI tests runs virt-install in a specific way that
  ultimately fails with this in the error message:

      ERROR internal error: Could not get process id of swtpm

  The journal has this message:

      audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
  operation="file_inherit" profile="swtpm"
  name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
  comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0

  This is nested virtualization. If you need the exact invocation of
  virt-install, I can dig that out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1989100/+subscriptions

More information about the foundations-bugs mailing list