On 11/5/24 12:13 PM, Peter Maydell wrote:
On Tue, 5 Nov 2024 at 17:02, Stefan Berger <stef...@linux.ibm.com> wrote:
On 11/5/24 11:14 AM, Peter Maydell wrote:
Q1: why is apparmor forbidding swtpm from doing something that
it needs to do to work?
What distro and version is this?
The profile may be too strict and not reflecting all the paths needed
for running the test cases. Ubuntu for example would have to update
their profile in such a case.
This is Ubuntu 22.04 "jammy" (with swtpm 0.6.3-0ubuntu3.3).
Q2: is there a way to run swtpm such that it is not
confined by apparmor, for purposes of running it in a test case?
Try either one:
- sudo aa-complain /usr/bin/swtpm
- sudo aa-disable /usr/bin/swtpm
We don't have root access from QEMU's 'make check',
though (and shouldn't be globally disabling apparmor
even if we could). I had in mind more a way that an
individual user can say "run this swtpm process but don't
apply the apparmor profile to it".
So the problem is that the avocado tests are using /var/tmp but we only
have AppArmor rules for /tmp/
The following solutions should work:
- do not install swtpm at all
- sudo cp /usr/bin/swtpm /usr/local/bin/swtpm
- as root: echo "include <abstractions/user-tmp>" >>
/etc/apparmor.d/local/usr.bin.swtpm && apparmor_parser -r
/etc/apparmor.d/usr.bin.swtpm
Lena, it looks like we would need the following additional line in the
profile:
include <abstractions/user-tmp>
Q3: if not, is there a way to at least detect that swtpm is
broken on this system so we can skip the test case?
It's not swtpm that is broken but the AppArmor profile is too strict.
Above command lines should work.
But this is a widely deployed distro in its default
configuration. We have to either work with it or detect
that it's broken so we can skip the test.
Cc'in Lena from Ubuntu.
thanks
-- PMM
