[Bug 1989100] Autopkgtest regression report (swtpm/0.6.3-0ubuntu4.1)

Ubuntu SRU Bot 1989100 at bugs.launchpad.net
Fri Dec 2 01:34:22 UTC 2022 

All autopkgtests for the newly accepted swtpm (0.6.3-0ubuntu4.1) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/251.4-1ubuntu7 (arm64)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/kinetic/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1989100

Title:
  AppArmor DENIES swtpm pid file access

Status in swtpm:
  Unknown
Status in libvirt package in Ubuntu:
  Confirmed
Status in swtpm package in Ubuntu:
  Fix Released
Status in libvirt source package in Kinetic:
  Confirmed
Status in swtpm source package in Kinetic:
  Fix Committed
Status in libvirt source package in Lunar:
  Confirmed
Status in swtpm source package in Lunar:
  Fix Released

Bug description:
  [Impact]

  When attempting to set up a vm with libvirt using swtpm in Kinetic,
  swtpm's apparmor profile will deny access to the pid file in
  /run/libvirt/qemu/swtpm/.

  The fix for this issue should be backported to Kinetic because it
  blocks all users attempting to set up a libvirt TPM vm with an error.

  This bug is fixed by removing the "owner" tag from the line "owner
  /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files
  to be used.

  [Test Plan]

  The fix can be tested using virt-manager and an os using TPM:

  # sudo apt update && sudo apt dist-upgrade -y
  # sudo apt install virt-manager swtpm

  Create a vm in virt-manager and on the last page

  > Select "Customize configuration before install"
  > Click Finish

  > Click Add Hardware
  > Select TPM with Model "TIS" and version 2.0

  > Click "Begin Installation"

  [Where problems could occur]

  By removing the owner tag in line in the apparmor profile, any file
  with a .pid extension in /run/libvirt/qemu/swtpm/ will be
  manipulatable by swtpm. If swtpm were to act maliciously, it would
  have an overall greater reach in this folder.

  [Original Description]

  libvirt 8.6.0-0ubuntu1
  apparmor 3.0.7-1ubuntu1

  One of our CI tests runs virt-install in a specific way that
  ultimately fails with this in the error message:

      ERROR internal error: Could not get process id of swtpm

  The journal has this message:

      audit: type=1400 audit(1662628523.308:121): apparmor="DENIED"
  operation="file_inherit" profile="swtpm"
  name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944
  comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0

  This is nested virtualization. If you need the exact invocation of
  virt-install, I can dig that out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1989100/+subscriptions

More information about the foundations-bugs mailing list