[Bug 1992377] Re: Apparmor denies writing to swtpm lock file in user's home directory

Launchpad Bug Tracker 1992377 at bugs.launchpad.net
Wed Oct 12 12:35:25 UTC 2022 

This bug was fixed in the package swtpm - 0.6.3-0ubuntu4

---------------
swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium

  * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
    In between adding the apparmor profile to Ubuntu and merging upstream
    additional rules were used to cover more common use cases. (LP: #1992377)
    - The six capability lines fix the broken upstream unit test cases:
      test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
      test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
    - owner @{HOME}/** rwk was added as using a folder in one's home directory
      is common for managing tpm states
    - Access in the tmp directory is further generalized as this is where swtpm
      interacts with qemu and libvirt
    - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
      work

 -- Lena Voytek <lena.voytek at canonical.com>  Tue, 11 Oct 2022 10:54:21
-0700

** Changed in: swtpm (Ubuntu Kinetic)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377

Title:
  Apparmor denies writing to swtpm lock file in user's home directory

Status in swtpm:
  Unknown
Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Triaged
Status in swtpm source package in Kinetic:
  Fix Released

Bug description:
  When a user uses a tpm state directory for swtpm located somewhere in
  their home directory, apparmor will deny the creation of a lock file
  when a qemu vm boots, showing a message such as:

  audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
  operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
  pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  This is due to a missing line in the apparmor profile that has been
  added upstream:

  owner @{HOME}/** rwk,

  
  To test (using a Windows 11 iso):

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions

More information about the foundations-bugs mailing list