[Bug 1950631] Re: [FFe] wrap swtpm in an apparmor profile
Launchpad Bug Tracker
1950631 at bugs.launchpad.net
Wed Mar 23 16:35:53 UTC 2022
This bug was fixed in the package swtpm - 0.6.3-0ubuntu1
---------------
swtpm (0.6.3-0ubuntu1) jammy; urgency=medium
* Update to the stable release v0.6.3 (LP: 1948748)
- swtpm:
+ Do not chdir(/) when using --daemon
+ Check header size indicator against expected size (CVE-2022-23645)
- swtpm-localca:
+ Re-implement variable resolution for swtpm-localca.conf
+ Test for available issuercert before creating CA
- tests:
+ Use ${WORKDIR} in config files to test env. var replacement
- man:
+ Add missing .config directory to path description when using ${HOME}
- build-sys:
+ Add probing for -fstack-protector
+ configure: Fix typo TPM2 -> TMP2
- swtpm_setup:
+ Report stderr as returned by external tool (swtpm-localcal)
+ Fix exit code on error to be '1'.
* d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules
swtpm (0.6.1-0ubuntu6) jammy; urgency=medium
* Add apparmor profile to swtpm (LP: #1950631)
- d/usr.bin.swtpm: Create new apparmor profile
- d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/
- d/rules: Deploy the swtpm apparmor profile
- d/control: Add dh-apparmor as a dependency
-- Christian Ehrhardt <christian.ehrhardt at canonical.com> Tue, 22 Mar
2022 09:31:40 +0100
** Changed in: swtpm (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23645
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1950631
Title:
[FFe] wrap swtpm in an apparmor profile
Status in libvirt package in Ubuntu:
Invalid
Status in swtpm package in Ubuntu:
Fix Released
Bug description:
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/swtpm-apparmor-profile-jammy
[Rationale]
swtpm is being MIRed right now (bug 1948748) and while not (yet, still
in security revieww) being called out explicitly - adding in the
apparmor profile is a good addition in regard to security. Eventually
this is another new guest<->host interface which generally are high
ranked in attack profiles - so adding another layer (Steve already
made the user swtpm runs with more safe) of security seems like an
important thing.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
But before Jammy swtpm wasn't in the Archive at all and that isn't released yet - so it can't be felt like a regression. And the profile has the usual means of local includes to allow users to overcome this without too much hazzle.
swtpm is not seeded (but about to, see MIR bug above).
[Proposed upload]
Code:
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/415813
Build: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-apparmor-
profile-jammy
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-
context which is good as that is already rather reduced and safer than
e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for
swtpm and have it transition there.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1950631/+subscriptions
More information about the foundations-bugs
mailing list