[Bug 1968187] Re: apparmor denial when using swtpm

Tue, 12 Apr 2022 05:15:44 -0700 

We can add those - if we agree - as Ubuntu Delta kind of "right now" to fix it 
before release.
But the swtpm changes then shall be part of the upstreaming effort to Stefan 
that we planned anyway.
And the libvirt changes should go upstream there for the benefit of others as 
well.

Summary of changes needed across libvirt and swtpm packages/profiles:

ubuntu@swtpm-jammy:~$ for f in /etc/apparmor.d/abstractions/libvirt-qemu
/etc/apparmor.d/usr.bin.swtpm /etc/apparmor.d/usr.sbin.libvirtd; do echo
$f; diff -Naur $f.orig $f; done


/etc/apparmor.d/abstractions/libvirt-qemu

--- /etc/apparmor.d/abstractions/libvirt-qemu.orig      2022-04-12 
11:51:00.834171997 +0000
+++ /etc/apparmor.d/abstractions/libvirt-qemu   2022-04-12 12:04:10.105197715 
+0000
@@ -184,7 +184,7 @@
   audit deny /{var/,}run/qemu/*/*.so w,
 
   # swtpm
-  /{usr/,}bin/swtpm rmix,
+  /{usr/,}bin/swtpm rmpix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
 
@@ -230,6 +230,7 @@
   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+  unix (send, receive) type=stream addr=none peer=(label=swtpm),
 
   # allow access to charm-specific ceph config (LP: #1403648).
   # No more silencing spurious denials as it can more critically hide other 
issues (LP: #1719579)


/etc/apparmor.d/usr.bin.swtpm

--- /etc/apparmor.d/usr.bin.swtpm.orig  2022-04-12 11:50:33.586205088 +0000
+++ /etc/apparmor.d/usr.bin.swtpm       2022-04-12 12:04:58.569137867 +0000
@@ -16,10 +16,15 @@
 
   network inet stream,
   network inet6 stream,
+
   unix (send) type=dgram addr=none peer=(addr=none),
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
 
   owner /tmp/** rwk,
-  owner /usr/bin/swtpm r,
+  /usr/bin/swtpm rm,
   owner /var/lib/libvirt/swtpm/** rwk,
+  /run/libvirt/qemu/swtpm/*.sock rwk,
+  owner /var/log/swtpm/libvirt/qemu/*.log rwk,
+  owner /run/libvirt/qemu/swtpm/*.pid rwk,
   owner /dev/vtpmx rw,
 }


/etc/apparmor.d/usr.sbin.libvirtd

--- /etc/apparmor.d/usr.sbin.libvirtd.orig      2022-04-12 11:58:44.725602007 
+0000
+++ /etc/apparmor.d/usr.sbin.libvirtd   2022-04-12 11:59:23.193554346 +0000
@@ -58,6 +58,7 @@
   ptrace (read,trace) peer=dnsmasq,
   ptrace (read,trace) peer=/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=libvirt-*,
+  ptrace (read,trace) peer=swtpm,
 
   signal (send) peer=dnsmasq,
   signal (send) peer=/usr/sbin/dnsmasq,

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187

Title:
  apparmor denial when using swtpm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to