This bug was fixed in the package libvirt - 8.0.0-1ubuntu7
---
libvirt (8.0.0-1ubuntu7) jammy; urgency=medium
* d/p/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch: Patch the libvirtd
and libvirt-qemu apparmor profiles to allow swtpm to use its own profile
(LP: #1968187)
This bug was fixed in the package swtpm - 0.6.3-0ubuntu3
---
swtpm (0.6.3-0ubuntu3) jammy; urgency=medium
* d/usr.bin.swtpm: Add additional apparmor rules
- allow full interaction with libvirt (LP: #1968187)
- add qemu socket rules (LP: #1968335)
-- Lena Voytek Tue, 12
** Merge proposal linked:
https://code.launchpad.net/~lvoytek/ubuntu/+source/libvirt/+git/libvirt/+merge/419329
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187
Title:
apparmor denial when
** Merge proposal linked:
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/419328
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187
Title:
apparmor denial when
** Also affects: swtpm (Ubuntu)
Importance: Undecided
Status: New
** Changed in: swtpm (Ubuntu)
Status: New => In Progress
** Changed in: swtpm (Ubuntu)
Assignee: (unassigned) => Lena Voytek (lvoytek)
--
You received this bug notification because you are a member of
We can add those - if we agree - as Ubuntu Delta kind of "right now" to fix it
before release.
But the swtpm changes then shall be part of the upstreaming effort to Stefan
that we planned anyway.
And the libvirt changes should go upstream there for the benefit of others as
well.
Summary of
For test purpose I was adding
/usr/bin/swtpm PUx,
to /etc/apparmor.d/local/abstractions/libvirt-qemu
I can see the error that you mean, that is something apparmor fails to load.
One can call apparmor_parser directly to see more.
ubuntu@swtpm-jammy:~$ sudo apparmor_parser -r
After looking further into the call structure it seems that the denials
are happening through the call structure of libvirt -> qemu ->
qemu_tpm.c -> swtpm and swtpm_setup, where the two programs are
borrowing the apparmor profile libvirt-[UUID] rather than using
usr.bin.swtpm.
It seems like the
** Tags added: server-todo
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187
Title:
apparmor denial when using swtpm
To manage notifications about this bug go to:
Hmm,
ok I expected libvirt to call this e.g. from src/qemu/qemu_tpm.c and I wondered
already why it is the guests profile.
But since it runs under the guests profile it must be more like "libvirt ->
qemu -> ??? -> swtpm_setup" - do you have an example of the call path that you
see?
Only once
On Thursday, April 07 2022, Lena Voytek wrote:
> From testing it seems this shows up due to swtpm_setup using the openssl
> config for key setup information. I managed to fix the issue by adding
>
> #include
>
> to the TEMPLATE.qemu file in the apparmor directory. I tested with the
> ppa:
>
>
From testing it seems this shows up due to swtpm_setup using the openssl
config for key setup information. I managed to fix the issue by adding
#include
to the TEMPLATE.qemu file in the apparmor directory. I tested with the
ppa:
ppa:lvoytek/libvirt-allow-openssl-qemu-jammy
--
You received
** Changed in: libvirt (Ubuntu)
Status: New => In Progress
** Changed in: libvirt (Ubuntu)
Assignee: (unassigned) => Lena Voytek (lvoytek)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
13 matches
Mail list logo
