[Bug 2017874] Re: AppArmor denials when running swtpm as unprivileged user with session libvirtd
Olivier Gayot
2017874 at bugs.launchpad.net
Fri Aug 4 09:49:50 UTC 2023
Resubmitting debdiff to drop the unwanted newline change.
** Patch added: "2-0.7.3-0ubuntu1__0.7.3-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2017874/+attachment/5690293/+files/2-0.7.3-0ubuntu1__0.7.3-0ubuntu2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2017874
Title:
AppArmor denials when running swtpm as unprivileged user with session
libvirtd
Status in swtpm package in Ubuntu:
Fix Committed
Bug description:
I was trying to set up a libvirt VM with an emulated TPM under
qemu:///session (i.e. a libvirtd instance running as myself).
I configured swtpm by running the following:
swtpm_setup --create-config-files skip-if-exist --tpm2
And tried creating a VM with "virt-install --connect qemu:///session
--name core-desktop --tpm emulator ...", which produced the following
output:
Starting install...
ERROR operation failed: swtpm died and reported:
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///session start core-desktop
otherwise, please restart your installation.
Searching the journal for relevant messages showed:
Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1355): apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1356): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Apr 27 16:28:16 scruffy libvirtd[3303247]: operation failed: swtpm died and reported:
It looks like the AppArmor policy in /etc/apparmor.d/usr.bin.swtpm is
set up to allow a system wide swtpm to access its socket and pid files
in /run/libvirt/qemu/swtpm, but not an unprivileged swtpm in
$XDG_RUNTIME_DIR/libvirt/qemu/run/swtpm.
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: swtpm 0.7.3-0ubuntu1
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Apr 27 16:45:25 2023
InstallationDate: Installed on 2021-03-28 (759 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Alpha amd64 (20210327)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: swtpm
UpgradeStatus: Upgraded to lunar on 2023-03-19 (38 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2017874/+subscriptions
More information about the Ubuntu-sponsors
mailing list