[Bug 1968187] Re: apparmor denial when using swtpm
This bug was fixed in the package libvirt - 8.0.0-1ubuntu7 --- libvirt (8.0.0-1ubuntu7) jammy; urgency=medium * d/p/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch: Patch the libvirtd and libvirt-qemu apparmor profiles to allow swtpm to use its own profile (LP: #1968187) -- Lena Voytek Tue, 12 Apr 2022 10:04:05 -0700 ** Changed in: libvirt (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
This bug was fixed in the package swtpm - 0.6.3-0ubuntu3 --- swtpm (0.6.3-0ubuntu3) jammy; urgency=medium * d/usr.bin.swtpm: Add additional apparmor rules - allow full interaction with libvirt (LP: #1968187) - add qemu socket rules (LP: #1968335) -- Lena Voytek Tue, 12 Apr 2022 07:49:45 -0700 ** Changed in: swtpm (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/libvirt/+git/libvirt/+merge/419329 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/419328 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
** Also affects: swtpm (Ubuntu) Importance: Undecided Status: New ** Changed in: swtpm (Ubuntu) Status: New => In Progress ** Changed in: swtpm (Ubuntu) Assignee: (unassigned) => Lena Voytek (lvoytek) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
We can add those - if we agree - as Ubuntu Delta kind of "right now" to fix it before release. But the swtpm changes then shall be part of the upstreaming effort to Stefan that we planned anyway. And the libvirt changes should go upstream there for the benefit of others as well. Summary of changes needed across libvirt and swtpm packages/profiles: ubuntu@swtpm-jammy:~$ for f in /etc/apparmor.d/abstractions/libvirt-qemu /etc/apparmor.d/usr.bin.swtpm /etc/apparmor.d/usr.sbin.libvirtd; do echo $f; diff -Naur $f.orig $f; done /etc/apparmor.d/abstractions/libvirt-qemu --- /etc/apparmor.d/abstractions/libvirt-qemu.orig 2022-04-12 11:51:00.834171997 + +++ /etc/apparmor.d/abstractions/libvirt-qemu 2022-04-12 12:04:10.105197715 + @@ -184,7 +184,7 @@ audit deny /{var/,}run/qemu/*/*.so w, # swtpm - /{usr/,}bin/swtpm rmix, + /{usr/,}bin/swtpm rmpix, /usr/{lib,lib64}/libswtpm_libtpms.so mr, /usr/lib/@{multiarch}/libswtpm_libtpms.so mr, @@ -230,6 +230,7 @@ unix (send, receive) type=stream addr=none peer=(label=libvirtd), unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), unix (send, receive) type=stream addr=none peer=(label=virtqemud), + unix (send, receive) type=stream addr=none peer=(label=swtpm), # allow access to charm-specific ceph config (LP: #1403648). # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579) /etc/apparmor.d/usr.bin.swtpm --- /etc/apparmor.d/usr.bin.swtpm.orig 2022-04-12 11:50:33.586205088 + +++ /etc/apparmor.d/usr.bin.swtpm 2022-04-12 12:04:58.569137867 + @@ -16,10 +16,15 @@ network inet stream, network inet6 stream, + unix (send) type=dgram addr=none peer=(addr=none), + unix (send, receive) type=stream addr=none peer=(label=libvirt-*), owner /tmp/** rwk, - owner /usr/bin/swtpm r, + /usr/bin/swtpm rm, owner /var/lib/libvirt/swtpm/** rwk, + /run/libvirt/qemu/swtpm/*.sock rwk, + owner /var/log/swtpm/libvirt/qemu/*.log rwk, + owner /run/libvirt/qemu/swtpm/*.pid rwk, owner /dev/vtpmx rw, } /etc/apparmor.d/usr.sbin.libvirtd --- /etc/apparmor.d/usr.sbin.libvirtd.orig 2022-04-12 11:58:44.725602007 + +++ /etc/apparmor.d/usr.sbin.libvirtd 2022-04-12 11:59:23.193554346 + @@ -58,6 +58,7 @@ ptrace (read,trace) peer=dnsmasq, ptrace (read,trace) peer=/usr/sbin/dnsmasq, ptrace (read,trace) peer=libvirt-*, + ptrace (read,trace) peer=swtpm, signal (send) peer=dnsmasq, signal (send) peer=/usr/sbin/dnsmasq, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
For test purpose I was adding /usr/bin/swtpm PUx, to /etc/apparmor.d/local/abstractions/libvirt-qemu I can see the error that you mean, that is something apparmor fails to load. One can call apparmor_parser directly to see more. ubuntu@swtpm-jammy:~$ sudo apparmor_parser -r /etc/apparmor.d/libvirt/libvirt-8908c397-e4dc-4e8c-a758-2436264111cc profile has merged rule with conflicting x modifiers ERROR processing regexs for profile libvirt-8908c397-e4dc-4e8c-a758-2436264111cc, failed to load I think that is due to the base-profile /etc/apparmor.d/abstractions/libvirt-qemu already containing: /{usr/,}bin/swtpm rmix, So we have two rules for the same confusing the parser. Following: https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html I've set this to "rmpix" In regard to execution it before was "inherit execute" and now it is "discrete profile execute with inherit fallback" e.g. for any system not having a profile for swtpm. That now loads fine into apparmor parser fine. As follow on the behavior now needs a few more things in the swtpm profile: [442420.536942] audit: type=1400 audit(1649764046.690:166): apparmor="DENIED" operation="file_mmap" profile="swtpm" name="/usr/bin/swtpm" pid=52183 comm="swtpm" requested_mask="r" denied_mask="r" fsuid=113 ouid=0 fsuid=113 ouid=0 - that is swtpm (on disk) vs root (caller) And that is an mmap rule needed for the binary when called this way. owner /usr/bin/swtpm r, -> /usr/bin/swtpm rm, We do not need write here, so it stays safe. This works, but as expected in this form of execution it will issue a whole other set of denials. Logs of those that follow are: [442672.673504] audit: type=1400 audit(1649764298.826:178): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/5-testguest-swtpm.sock" pid=52334 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113 [442803.733113] audit: type=1400 audit(1649764429.885:184): apparmor="DENIED" operation="open" profile="swtpm" name="/var/log/swtpm/libvirt/qemu/testguest-swtpm.log" pid=52370 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113 [442928.727819] audit: type=1400 audit(1649764554.877:196): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/8-testguest-swtpm.pid" pid=52441 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113 These are already running under swtpm (as we have configured libvirt) and would in general match. So those can have "owner" rules. After these swtpm runs fine, but libvirt needs to be allowed to talk to it [443044.357969] audit: type=1400 audit(1649764670.509:202): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=33409 comm="rpc-libvirtd" requested_mask="read" denied_mask="read" peer="swtpm" ptrace (read,trace) peer=swtpm, Once communication is established we see [443159.280775] audit: type=1400 audit(1649764785.429:249): apparmor="DENIED" operation="file_receive" profile="swtpm" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirt-202a34a9-2ee2-4826-b206-c249f535be90" [443159.280788] audit: type=1400 audit(1649764785.429:250): apparmor="DENIED" operation="file_receive" profile="libvirt-202a34a9-2ee2-4826-b206-c249f535be90" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="swtpm" [443159.280948] audit: type=1400 audit(1649764785.429:251): apparmor="DENIED" operation="file_perm" profile="swtpm" name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055 [443159.280957] audit: type=1400 audit(1649764785.429:252): apparmor="DENIED" operation="file_perm" profile="swtpm" name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055 That needs a set of other allowances to let swtpm and guests talk via sockets One is about libvirt ouid=64055 user working with the socket fsuid=113 under the swtpm profile - so we need to drop the "owner" there. The two socket operations are in /etc/apparmor.d/abstractions/libvirt-qemu: unix (send, receive) type=stream addr=none peer=(label=swtpm), /etc/apparmor.d/usr.bin.swtpm: unix (send, receive) type=stream addr=none peer=(label=libvirt-*), With that it works, no errors at the host and the guest sees: ubuntu@testguest:~$ sudo dmesg -w | grep -i tpm [0.011058] ACPI: TPM2 0x1FFD28A9 4C (v04 BOCHS BXPC 0001 BXPC 0001) [0.011078] ACPI: Reserving TPM2 table memory at [mem 0x1ffd28a9-0x1ffd28f4] [4.346241] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1) ubuntu@testguest:~$ ll /dev/tpm* crw-rw 1 tss root 10, 224 Apr 12 12:05 /dev/tpm0 crw-rw 1 tss tss 253, 65536 Apr 12 12:05
[Bug 1968187] Re: apparmor denial when using swtpm
After looking further into the call structure it seems that the denials are happening through the call structure of libvirt -> qemu -> qemu_tpm.c -> swtpm and swtpm_setup, where the two programs are borrowing the apparmor profile libvirt-[UUID] rather than using usr.bin.swtpm. It seems like the most proper way to fix this would be to make sure swtpm uses its own profile by adding a Discrete Profile execute mode px line to the libvirt profile, such as some variation of: /usr/bin/swtpm px or /usr/bin/swtpm px -> swtpm This fixes swtpm's apparmor issues but causes a new error on start from virt-aa-helper, which fails to parse this and the following is shown: Error starting domain: internal error: cannot load AppArmor profile 'libvirt-[UUID]' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
Hmm, ok I expected libvirt to call this e.g. from src/qemu/qemu_tpm.c and I wondered already why it is the guests profile. But since it runs under the guests profile it must be more like "libvirt -> qemu -> ??? -> swtpm_setup" - do you have an example of the call path that you see? Only once we somewhat understand when/how/why it calls swtpm_setup we can decide to either a) might be called in any config, can't be detected from guest devices, need to add it to TEMPLATE.qemu b) will only be called when configured, have libvirt-aa-helper detect tpm and only then add abstractions/openssl to the guests rules c) is generally safe and not a problem to add (only read access), add it to TEMPLATE.qemu d) is actually not called by qemu but by libvirt, is the reason it is under the guests profile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1968187] Re: apparmor denial when using swtpm
On Thursday, April 07 2022, Lena Voytek wrote: > From testing it seems this shows up due to swtpm_setup using the openssl > config for key setup information. I managed to fix the issue by adding > > #include > > to the TEMPLATE.qemu file in the apparmor directory. I tested with the > ppa: > > ppa:lvoytek/libvirt-allow-openssl-qemu-jammy FWIW this is a common problem/fix with openssl3; the exact same fix was applied to squid's apparmor profile a few days ago. -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
From testing it seems this shows up due to swtpm_setup using the openssl config for key setup information. I managed to fix the issue by adding #include to the TEMPLATE.qemu file in the apparmor directory. I tested with the ppa: ppa:lvoytek/libvirt-allow-openssl-qemu-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1968187] Re: apparmor denial when using swtpm
** Changed in: libvirt (Ubuntu) Status: New => In Progress ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => Lena Voytek (lvoytek) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1968187 Title: apparmor denial when using swtpm To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs