[Bug 2071478] Re: Add sys_admin capability to apparmor profile by default
Launchpad Bug Tracker
2071478 at bugs.launchpad.net
Tue Jul 9 17:56:30 UTC 2024
This bug was fixed in the package swtpm - 0.7.3-0ubuntu7
---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium
* d/usr.bin.swtpm:
- Add sys_admin capability to apparmor profile to allow access to kernel
modules such as tpm_vtpm_proxy (LP: #2071478)
- Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
apparmor denials when working with TPM2 locks (LP: #2072524)
-- Lena Voytek <lena.voytek at canonical.com> Tue, 09 Jul 2024 06:06:00
-0700
** Changed in: swtpm (Ubuntu Oracular)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2071478
Title:
Add sys_admin capability to apparmor profile by default
Status in swtpm package in Ubuntu:
Fix Released
Status in swtpm source package in Jammy:
In Progress
Status in swtpm source package in Mantic:
In Progress
Status in swtpm source package in Noble:
In Progress
Status in swtpm source package in Oracular:
Fix Released
Bug description:
Based on the upstream discussion here -
https://github.com/stefanberger/swtpm/discussions/866 - certain
features of swtpm require access to kernel modules to work. For
example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This
should work by default, and is fixed by adding capability sys_admin to
the apparmor profile.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2071478/+subscriptions
More information about the foundations-bugs
mailing list