For test purpose I was adding
/usr/bin/swtpm PUx,
to /etc/apparmor.d/local/abstractions/libvirt-qemu
I can see the error that you mean, that is something apparmor fails to load.
One can call apparmor_parser directly to see more.
ubuntu@swtpm-jammy:~$ sudo apparmor_parser -r
/etc/apparmor.d/libvirt/libvirt-8908c397-e4dc-4e8c-a758-2436264111cc
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile
libvirt-8908c397-e4dc-4e8c-a758-2436264111cc, failed to load
I think that is due to the base-profile
/etc/apparmor.d/abstractions/libvirt-qemu already containing:
/{usr/,}bin/swtpm rmix,
So we have two rules for the same confusing the parser.
Following:
https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html
I've set this to "rmpix"
In regard to execution it before was "inherit execute" and now it is "discrete
profile execute with inherit fallback" e.g. for any system not having a profile
for swtpm.
That now loads fine into apparmor parser fine.
As follow on the behavior now needs a few more things in the swtpm
profile:
[442420.536942] audit: type=1400 audit(1649764046.690:166):
apparmor="DENIED" operation="file_mmap" profile="swtpm"
name="/usr/bin/swtpm" pid=52183 comm="swtpm" requested_mask="r"
denied_mask="r" fsuid=113 ouid=0
fsuid=113 ouid=0 - that is swtpm (on disk) vs root (caller)
And that is an mmap rule needed for the binary when called this way.
owner /usr/bin/swtpm r,
->
/usr/bin/swtpm rm,
We do not need write here, so it stays safe.
This works, but as expected in this form of execution it will issue a whole
other set of denials.
Logs of those that follow are:
[442672.673504] audit: type=1400 audit(1649764298.826:178): apparmor="DENIED"
operation="mknod" profile="swtpm"
name="/run/libvirt/qemu/swtpm/5-testguest-swtpm.sock" pid=52334 comm="swtpm"
requested_mask="c" denied_mask="c" fsuid=113 ouid=113
[442803.733113] audit: type=1400 audit(1649764429.885:184): apparmor="DENIED"
operation="open" profile="swtpm"
name="/var/log/swtpm/libvirt/qemu/testguest-swtpm.log" pid=52370 comm="swtpm"
requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
[442928.727819] audit: type=1400 audit(1649764554.877:196): apparmor="DENIED"
operation="mknod" profile="swtpm"
name="/run/libvirt/qemu/swtpm/8-testguest-swtpm.pid" pid=52441 comm="swtpm"
requested_mask="c" denied_mask="c" fsuid=113 ouid=113
These are already running under swtpm (as we have configured libvirt) and would
in general match.
So those can have "owner" rules.
After these swtpm runs fine, but libvirt needs to be allowed to talk to it
[443044.357969] audit: type=1400 audit(1649764670.509:202):
apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=33409
comm="rpc-libvirtd" requested_mask="read" denied_mask="read"
peer="swtpm"
ptrace (read,trace) peer=swtpm,
Once communication is established we see
[443159.280775] audit: type=1400 audit(1649764785.429:249): apparmor="DENIED"
operation="file_receive" profile="swtpm" pid=52548 comm="swtpm" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send
receive" addr=none peer_addr=none
peer="libvirt-202a34a9-2ee2-4826-b206-c249f535be90"
[443159.280788] audit: type=1400 audit(1649764785.429:250): apparmor="DENIED"
operation="file_receive" profile="libvirt-202a34a9-2ee2-4826-b206-c249f535be90"
pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0
requested_mask="send receive" denied_mask="send receive" addr=none
peer_addr=none peer="swtpm"
[443159.280948] audit: type=1400 audit(1649764785.429:251): apparmor="DENIED"
operation="file_perm" profile="swtpm"
name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm"
requested_mask="w" denied_mask="w" fsuid=113 ouid=64055
[443159.280957] audit: type=1400 audit(1649764785.429:252): apparmor="DENIED"
operation="file_perm" profile="swtpm"
name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm"
requested_mask="w" denied_mask="w" fsuid=113 ouid=64055
That needs a set of other allowances to let swtpm and guests talk via
sockets
One is about libvirt ouid=64055 user working with the socket fsuid=113
under the swtpm profile - so we need to drop the "owner" there.
The two socket operations are in
/etc/apparmor.d/abstractions/libvirt-qemu:
unix (send, receive) type=stream addr=none peer=(label=swtpm),
/etc/apparmor.d/usr.bin.swtpm:
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
With that it works, no errors at the host and the guest sees:
ubuntu@testguest:~$ sudo dmesg -w | grep -i tpm
[ 0.011058] ACPI: TPM2 0x000000001FFD28A9 00004C (v04 BOCHS BXPC
00000001 BXPC 00000001)
[ 0.011078] ACPI: Reserving TPM2 table memory at [mem 0x1ffd28a9-0x1ffd28f4]
[ 4.346241] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
ubuntu@testguest:~$ ll /dev/tpm*
crw-rw---- 1 tss root 10, 224 Apr 12 12:05 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 Apr 12 12:05 /dev/tpmrm0
I'll summarize changes in the next comment
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187
Title:
apparmor denial when using swtpm
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
