[Bug 1950631] Re: [FFe] wrap swtpm in an apparmor profile
Christian Ehrhardt
1950631 at bugs.launchpad.net
Tue Mar 22 11:11:29 UTC 2022
Test stuck here:
4 0 356 1 20 0 2888 1716 - Ss hvc1 0:00 /bin/sh
1 0 3081 356 20 0 2888 140 - S+ hvc1 0:00 \_ /bin/sh
4 0 3082 3081 20 0 10192 4268 - S+ hvc1 0:00 \_ su -s /bin/bash ubuntu -c set -e; export USER=`id -nu`; . /etc/profile >/dev/null 2>&1 || true; . ~/.profile >/dev/null 2>&1 || true; buildtree="/tmp/autopkgtest.y9SOlW/build.P79/src"; mkdir -
4 1000 3091 3082 20 0 7892 3844 do_wai Ss ? 0:00 \_ bash -c set -e; export USER=`id -nu`; . /etc/profile >/dev/null 2>&1 || true; . ~/.profile >/dev/null 2>&1 || true; buildtree="/tmp/autopkgtest.y9SOlW/build.P79/src"; mkdir -p -m 1777 -- "
0 1000 3099 3091 20 0 2888 1000 do_wai S ? 0:00 \_ /bin/sh /tmp/autopkgtest.y9SOlW/build.P79/src/debian/tests/run-tests
1 1000 3100 3099 20 0 7892 1756 do_wai S ? 0:00 \_ bash -c set -e; export USER=`id -nu`; . /etc/profile >/dev/null 2>&1 || true; . ~/.profile >/dev/null 2>&1 || true; buildtree="/tmp/autopkgtest.y9SOlW/build.P79/src"; mkdir -p -m 1
0 1000 3104 3100 20 0 6192 1024 pipe_r S ? 0:00 | \_ tee -a /tmp/autopkgtest.y9SOlW/run-tests-stderr
1 1000 3101 3099 20 0 7892 1672 do_wai S ? 0:00 \_ bash -c set -e; export USER=`id -nu`; . /etc/profile >/dev/null 2>&1 || true; . ~/.profile >/dev/null 2>&1 || true; buildtree="/tmp/autopkgtest.y9SOlW/build.P79/src"; mkdir -p -m 1
0 1000 3103 3101 20 0 6192 1016 pipe_r S ? 0:00 | \_ tee -a /tmp/autopkgtest.y9SOlW/run-tests-stdout
0 1000 6038 3099 20 0 6676 2484 do_wai S ? 0:00 \_ make -j4 check VERBOSE=1
0 1000 6039 6038 20 0 7760 3388 do_wai S ? 0:00 \_ /bin/bash -c fail=; \ if (target_option=k; case ${target_option-} in ?) ;; *) echo "am__make_running_with_option: internal error: invalid" "target option '${target_option-}' spe
1 1000 7081 6039 20 0 7760 1988 do_wai S ? 0:00 \_ /bin/bash -c fail=; \ if (target_option=k; case ${target_option-} in ?) ;; *) echo "am__make_running_with_option: internal error: invalid" "target option '${target_option-}'
0 1000 7082 7081 20 0 6684 2676 do_wai S ? 0:00 \_ make check
0 1000 7086 7082 20 0 6684 2696 do_wai S ? 0:00 \_ make check-TESTS
0 1000 7094 7086 20 0 7760 3344 do_wai S ? 0:00 \_ /bin/bash -c set +e; bases='test_vtpm_proxy.log test_tpm2_vtpm_proxy.log test_ctrlchannel2.log test_ctrlchannel4.log test_tpm2_ctrlchannel2.log test_commandline.
0 1000 7103 7094 20 0 6908 2892 do_wai S ? 0:00 \_ make test-suite.log TEST_LOGS=test_vtpm_proxy.log test_tpm2_vtpm_proxy.log test_ctrlchannel2.log test_ctrlchannel4.log test_tpm2_ctrlchannel2.log test_comman
0 1000 7141 7103 20 0 7764 3264 do_wai S ? 0:00 \_ /bin/bash ../test-driver --test-name test_commandline --log-file test_commandline.log --trs-file test_commandline.trs --color-tests no --enable-hard-erro
0 1000 7163 7141 20 0 8160 4012 pipe_r S ? 0:00 | \_ bash ./test_commandline
0 1000 7613 7163 20 0 17092 9184 skb_wa S ? 0:00 | \_ python3 /tmp/autopkgtest.y9SOlW/build.P79/src/tests/test_clientfds.py
0 1000 7626 7613 20 0 8532 2348 do_pol S ? 0:00 | \_ /usr/bin/swtpm socket --fd=3 --ctrl type=unixio,clientfd=5 --pid file=/tmp/tmp.jkBt3n3qVc/swtpm.pid --tpmstate dir=/tmp/tmp.jkBt3n3qVc --secc
0 1000 7406 7103 20 0 7764 3268 do_wai S ? 0:00 \_ /bin/bash ../test-driver --test-name test_ctrlchannel3 --log-file test_ctrlchannel3.log --trs-file test_ctrlchannel3.trs --color-tests no --enable-hard-e
0 1000 7425 7406 20 0 8168 3940 pipe_r S ? 0:00 \_ bash ./test_ctrlchannel3
0 1000 7444 7425 20 0 9220 6640 do_pol S ? 0:00 \_ /usr/bin/swtpm socket --flags not-need-init --ctrl type=unixio,path=/tmp/tmp.6u48xQf27g/sock --tpmstate dir=/tmp/tmp.6u48xQf27g -t --pid file=/tm
0 1000 7486 7425 20 0 17092 9252 skb_wa S ? 0:00 \_ python3 /tmp/autopkgtest.y9SOlW/build.P79/src/tests/test_setdatafd.py
Related denies:
[ 94.237953] audit: type=1400 audit(1647945881.998:14): apparmor="DENIED" operation="sendmsg" profile="swtpm" pid=7444 comm="swtpm" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr=none peer="unconfined"
[ 96.248392] audit: type=1400 audit(1647945884.006:15): apparmor="DENIED" operation="sendmsg" profile="swtpm" pid=7626 comm="swtpm" family="unix" sock_type="dgram" protocol=0 requested_mask="send" denied_mask="send" addr=none peer_addr=none peer="unconfined"
Repro:
SWTPM_EXE=/usr/bin/swtpm SWTPM_IOCTL=swtpm_ioctl SWTPM_BIOS=swtpm_bios SWTPM_SETUP=swtpm_setup SWTPM_CERT=swtpm_cert SWTPM_TEST_SECCOMP_OPT="--seccomp action=none" make -j4 check VERBOSE=1
The rule we need for that is:
unix (send) type=dgram addr=none peer=(addr=none),
With that things pass locally, building in PPA for a cross-arch retest
on autopkgtest infrastructure
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1950631
Title:
[FFe] wrap swtpm in an apparmor profile
Status in libvirt package in Ubuntu:
Invalid
Status in swtpm package in Ubuntu:
Fix Committed
Bug description:
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/swtpm-apparmor-profile-jammy
[Rationale]
swtpm is being MIRed right now (bug 1948748) and while not (yet, still
in security revieww) being called out explicitly - adding in the
apparmor profile is a good addition in regard to security. Eventually
this is another new guest<->host interface which generally are high
ranked in attack profiles - so adding another layer (Steve already
made the user swtpm runs with more safe) of security seems like an
important thing.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
But before Jammy swtpm wasn't in the Archive at all and that isn't released yet - so it can't be felt like a regression. And the profile has the usual means of local includes to allow users to overcome this without too much hazzle.
swtpm is not seeded (but about to, see MIR bug above).
[Proposed upload]
Code:
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/415813
Build: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-apparmor-
profile-jammy
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-
context which is good as that is already rather reduced and safer than
e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for
swtpm and have it transition there.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1950631/+subscriptions
More information about the foundations-bugs
mailing list