[Bug 2086736] [NEW] AppArmor profile needs to allow access to /var/tmp

Stefan Berger 2086736 at bugs.launchpad.net
Tue Nov 5 20:28:34 UTC 2024 

Public bug reported:

QEMU's avocado tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.

 type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
   operation="mknod" class="file" profile="swtpm" \
   name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
   requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
   OUID="stefanb"

To resolve this, add the following line to the usr.bin.swtpm profile:


diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
index cd7f5e8a..a6e8a627 100644
--- a/debian/usr.bin.swtpm
+++ b/debian/usr.bin.swtpm
@@ -4,6 +4,7 @@
 #include <tunables/global>

 profile swtpm /usr/bin/swtpm {
+  #include <abstractions/user-tmp>
   #include <abstractions/base>
   #include <abstractions/openssl>


To run the QEMU avocado test use the following command:

     make check-avocado \
       AVOCADO_TESTS=tests/avocado/machine_aspeed.py:AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm

** Affects: swtpm (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2086736

Title:
  AppArmor profile needs to allow access to /var/tmp

Status in swtpm package in Ubuntu:
  New

Bug description:
  QEMU's avocado tests need access to /var/tmp/**. To avoid the
  following type of AppArmor permission failures add a rule that allows
  access to /var/tmp/**.

   type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
     operation="mknod" class="file" profile="swtpm" \
     name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
     requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
     OUID="stefanb"

  To resolve this, add the following line to the usr.bin.swtpm profile:

  
  diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
  index cd7f5e8a..a6e8a627 100644
  --- a/debian/usr.bin.swtpm
  +++ b/debian/usr.bin.swtpm
  @@ -4,6 +4,7 @@
   #include <tunables/global>

   profile swtpm /usr/bin/swtpm {
  +  #include <abstractions/user-tmp>
     #include <abstractions/base>
     #include <abstractions/openssl>

  
  To run the QEMU avocado test use the following command:

       make check-avocado \
         AVOCADO_TESTS=tests/avocado/machine_aspeed.py:AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2086736/+subscriptions

More information about the foundations-bugs mailing list