[Bug 2017874] [NEW] AppArmor denials when running swtpm as unprivileged user with session libvirtd

Launchpad Bug Tracker 2017874 at bugs.launchpad.net
Fri Aug 4 09:12:53 UTC 2023 

You have been subscribed to a public bug by Olivier Gayot (ogayot):

I was trying to set up a libvirt VM with an emulated TPM under
qemu:///session (i.e. a libvirtd instance running as myself).

I configured swtpm by running the following:

    swtpm_setup --create-config-files skip-if-exist --tpm2

And tried creating a VM with "virt-install --connect qemu:///session
--name core-desktop --tpm emulator ...", which produced the following
output:

    Starting install...
    ERROR    operation failed: swtpm died and reported: 
    Domain installation does not appear to have been successful.
    If it was, you can restart your domain by running:
      virsh --connect qemu:///session start core-desktop
    otherwise, please restart your installation.

Searching the journal for relevant messages showed:

    Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1355): apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1356): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy libvirtd[3303247]: operation failed: swtpm died and reported: 

It looks like the AppArmor policy in /etc/apparmor.d/usr.bin.swtpm is
set up to allow a system wide swtpm to access its socket and pid files
in /run/libvirt/qemu/swtpm, but not an unprivileged swtpm in
$XDG_RUNTIME_DIR/libvirt/qemu/run/swtpm.

ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: swtpm 0.7.3-0ubuntu1
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Apr 27 16:45:25 2023
InstallationDate: Installed on 2021-03-28 (759 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Alpha amd64 (20210327)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: swtpm
UpgradeStatus: Upgraded to lunar on 2023-03-19 (38 days ago)

** Affects: swtpm (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug lunar wayland-session
-- 
AppArmor denials when running swtpm as unprivileged user with session libvirtd
https://bugs.launchpad.net/bugs/2017874
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list