[Bug 2071478] Re: Add sys_admin capability to apparmor profile by default

Lena Voytek 2071478 at bugs.launchpad.net
Thu Aug 22 17:17:44 UTC 2024 

Re-ran tests to confirm. I made sure 0.7.3-0ubuntu5.24.04.1 was used in
noble, and 0.6.3-0ubuntu3.3 in jammy. Both tests are still successful.
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2071478

Title:
  Add sys_admin capability to apparmor profile by default

Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  Fix Released
Status in swtpm source package in Mantic:
  Won't Fix
Status in swtpm source package in Noble:
  Fix Released
Status in swtpm source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  The default apparmor profile for swtpm blocks access to kernel
  modules, which causes a failure when using the --vtpm-proxy argument,
  since it requires tpm_vtpm_proxy.

  The fix for this should be backported so the vtpm-proxy works for
  users by default.

  The issue is fixed by adding the sys_admin capability, which gives
  swtpm access to the required kernel modules

  [Test Plan]

  $ sudo apt update && sudo apt dist-upgrade -y
  $ sudo apt install swtpm apparmor -y

  $ mkdir /tmp/myvtpm

  # Before fix
  $ sudo modprobe tpm_vtpm_proxy
  $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
  swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

  # After fix
  $ sudo modprobe tpm_vtpm_proxy
  $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
  New TPM device: /dev/tpm1 (major/minor = 253/1)

  [Where problems could occur]

  This change will allow swtpm to access various kernel modules by
  default. So if malicious code were to exist within swtpm, then it
  would have far greater access when running with super user
  permissions.

  Likewise, with a change to the apparmor profile, a conflict will occur
  on update for users that modified their profile directly.

  [Other Info]
   
  The issue was fixed in oracular in 0.7.3-0ubuntu7.

  [Original Description]

  Based on the upstream discussion here -
  https://github.com/stefanberger/swtpm/discussions/866 - certain
  features of swtpm require access to kernel modules to work. For
  example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This
  should work by default, and is fixed by adding capability sys_admin to
  the apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2071478/+subscriptions

More information about the foundations-bugs mailing list