[Bug 2017874] Re: AppArmor denials when running swtpm as unprivileged user with session libvirtd

Olivier Gayot 2017874 at bugs.launchpad.net
Fri Aug 4 08:44:10 UTC 2023 

I am also affected. I created a VM with virt-manager (connected to the
QEMU/KVM User session) and added a TPM to it.

Starting the VM failed with:

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
    installer.start_install(guest, meter=meter)
  File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install
    domain = self._create_guest(
             ^^^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest
    domain = self.conn.createXML(initial_xml or final_xml, 0)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/libvirt.py", line 4470, in createXML
    raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: operation failed: swtpm died and reported: 


and the journal shows the apparmor errors that James mentioned.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2017874

Title:
  AppArmor denials when running swtpm as unprivileged user with session
  libvirtd

Status in swtpm package in Ubuntu:
  Fix Committed

Bug description:
  I was trying to set up a libvirt VM with an emulated TPM under
  qemu:///session (i.e. a libvirtd instance running as myself).

  I configured swtpm by running the following:

      swtpm_setup --create-config-files skip-if-exist --tpm2

  And tried creating a VM with "virt-install --connect qemu:///session
  --name core-desktop --tpm emulator ...", which produced the following
  output:

      Starting install...
      ERROR    operation failed: swtpm died and reported: 
      Domain installation does not appear to have been successful.
      If it was, you can restart your domain by running:
        virsh --connect qemu:///session start core-desktop
      otherwise, please restart your installation.

  Searching the journal for relevant messages showed:

      Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
      Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
      Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1355): apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
      Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1356): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
      Apr 27 16:28:16 scruffy libvirtd[3303247]: operation failed: swtpm died and reported: 

  It looks like the AppArmor policy in /etc/apparmor.d/usr.bin.swtpm is
  set up to allow a system wide swtpm to access its socket and pid files
  in /run/libvirt/qemu/swtpm, but not an unprivileged swtpm in
  $XDG_RUNTIME_DIR/libvirt/qemu/run/swtpm.

  ProblemType: Bug
  DistroRelease: Ubuntu 23.04
  Package: swtpm 0.7.3-0ubuntu1
  ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
  Uname: Linux 6.2.0-18-generic x86_64
  ApportVersion: 2.26.1-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Apr 27 16:45:25 2023
  InstallationDate: Installed on 2021-03-28 (759 days ago)
  InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Alpha amd64 (20210327)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: swtpm
  UpgradeStatus: Upgraded to lunar on 2023-03-19 (38 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2017874/+subscriptions

More information about the foundations-bugs mailing list