[Bug 2071478] Re: Add sys_admin capability to apparmor profile by default

Thu Aug 22 16:51:26 UTC 2024

Thanks for the verification Lena, could you please confirm if the test
plan execution from comment #6 was executed with the swtpm version from
proposed? I can see that the proposed pocket was added, but given the
default pinning it has nowadays (which makes it lower prio than updates
or release), I can't tell if the actual package from proposed was
installed. I suspect it was, because the test worked, and wasn't working
before, but a quick confirmation would be ideal.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2071478

Title:
  Add sys_admin capability to apparmor profile by default

Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Fix Committed
Status in swtpm source package in Mantic:
  Won't Fix
Status in swtpm source package in Noble:
  Fix Released
Status in swtpm source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  The default apparmor profile for swtpm blocks access to kernel
  modules, which causes a failure when using the --vtpm-proxy argument,
  since it requires tpm_vtpm_proxy.

  The fix for this should be backported so the vtpm-proxy works for
  users by default.

  The issue is fixed by adding the sys_admin capability, which gives
  swtpm access to the required kernel modules

  [Test Plan]

  $ sudo apt update && sudo apt dist-upgrade -y
  $ sudo apt install swtpm apparmor -y

  $ mkdir /tmp/myvtpm

  # Before fix
  $ sudo modprobe tpm_vtpm_proxy
  $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
  swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

  # After fix
  $ sudo modprobe tpm_vtpm_proxy
  $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
  New TPM device: /dev/tpm1 (major/minor = 253/1)

  [Where problems could occur]

  This change will allow swtpm to access various kernel modules by
  default. So if malicious code were to exist within swtpm, then it
  would have far greater access when running with super user
  permissions.

  Likewise, with a change to the apparmor profile, a conflict will occur
  on update for users that modified their profile directly.

  [Other Info]

  The issue was fixed in oracular in 0.7.3-0ubuntu7.

  [Original Description]

  Based on the upstream discussion here -
  https://github.com/stefanberger/swtpm/discussions/866 - certain
  features of swtpm require access to kernel modules to work. For
  example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This
  should work by default, and is fixed by adding capability sys_admin to
  the apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2071478/+subscriptions