[Bug 1992377] Re: Update apparmor profile to match upstream

Steve Langasek 1992377 at bugs.launchpad.net
Fri Apr 21 22:12:04 UTC 2023 

Hello Lena, or anyone else affected,

Accepted swtpm into jammy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/swtpm/0.6.3-0ubuntu3.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: swtpm (Ubuntu Jammy)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/1992377

Title:
  Update apparmor profile to match upstream

Status in swtpm:
  Unknown
Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Fix Committed
Status in swtpm source package in Kinetic:
  Fix Released

Bug description:
  [Impact]

  In its current state, swtpm's apparmor profile has a few restrictions that block common use cases for the software. This includes:
   - Use of vtpm proxy
   - Using one's home folder to manage TPM states
   - Some qemu and libvirt interactions in the tmp directory

  Cleaning up these restrictions allows users to run swtpm in these
  common configurations without messing with local apparmor profiles.

  To fix these cases, the swtpm apparmor profile has been updated to
  match upstream. During the process of bringing the Ubuntu version of
  the profile upstream, these issues were found and fixed accordingly.
  More info on these changes can be found here:
  https://github.com/stefanberger/swtpm/pull/691

  [Test Plan]

  The fix can be tested by running swtpm in these situations. The
  following can be used to test using the home folder to manage TPM
  states using a Windows 11 ISO:

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

  [Where problems could occur]

  This change only decreases apparmor restrictions, so users will not be
  blocked by any new rules. However, with less restrictions, swtpm is
  provided with more attack vectors if it were to be compromised. swtpm
  will no longer be blocked in accessing tmp files that are not its own,
  and will have additional abilities to manipulate file permissions. If
  swtpm acted maliciously, it could access and mess with temporary files
  belonging to other programs.

  [Other Info]
   
  This bug has been fixed in kinetic and beyond in version 0.6.3-0ubuntu4.

  [Original Description]

  When a user uses a tpm state directory for swtpm located somewhere in
  their home directory, apparmor will deny the creation of a lock file
  when a qemu vm boots, showing a message such as:

  audit: type=1400 audit(1665412130.135:170): apparmor="DENIED"
  operation="mknod" profile="swtpm" name="/home/.../tpmstatedir/.lock"
  pid=5218 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000
  ouid=1000

  This is due to a missing line in the apparmor profile that has been
  added upstream:

  owner @{HOME}/** rwk,

  To test (using a Windows 11 iso):

  $ sudo apt install swtpm qemu-kvm
  $ qemu-img create -f qcow2 win11.img 64G
  $ mkdir ~/tpmstatedir
  $ swtpm socket --tpm2 --ctrl type=unixio,path=/tmp/swtpm-sock --tpmstate dir=~/tpmstatedir
  $ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom Win11.iso

To manage notifications about this bug go to:
https://bugs.launchpad.net/swtpm/+bug/1992377/+subscriptions

More information about the foundations-bugs mailing list