[Bug 2086736] Re: AppArmor profile needs to allow access to /var/tmp

Launchpad Bug Tracker 2086736 at bugs.launchpad.net
Tue Nov 26 14:18:19 UTC 2024 

This bug was fixed in the package swtpm - 0.7.3-0ubuntu8

---------------
swtpm (0.7.3-0ubuntu8) plucky; urgency=medium

  * d/usr.bin.swtpm: Allow additional tmp directory access through user-tmp
    abstraction, and remove the original full /tmp permissions (LP: #2086736)

 -- Lena Voytek <lena.voytek at canonical.com>  Fri, 08 Nov 2024 15:25:24
-0700

** Changed in: swtpm (Ubuntu Plucky)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to swtpm in Ubuntu.
https://bugs.launchpad.net/bugs/2086736

Title:
  AppArmor profile needs to allow access to /var/tmp

Status in swtpm package in Ubuntu:
  Fix Released
Status in swtpm source package in Jammy:
  New
Status in swtpm source package in Noble:
  New
Status in swtpm source package in Oracular:
  New
Status in swtpm source package in Plucky:
  Fix Released

Bug description:
  QEMU's avocado tests need access to /var/tmp/**. To avoid the
  following type of AppArmor permission failures add a rule that allows
  access to /var/tmp/**.

   type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
     operation="mknod" class="file" profile="swtpm" \
     name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
     requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
     OUID="stefanb"

  To resolve this, add the following line to the usr.bin.swtpm profile:

  
  diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
  index cd7f5e8a..a6e8a627 100644
  --- a/debian/usr.bin.swtpm
  +++ b/debian/usr.bin.swtpm
  @@ -4,6 +4,7 @@
   #include <tunables/global>

   profile swtpm /usr/bin/swtpm {
  +  #include <abstractions/user-tmp>
     #include <abstractions/base>
     #include <abstractions/openssl>

  
  To run the QEMU avocado test use the following command:

       make check-avocado \
         AVOCADO_TESTS=tests/avocado/machine_aspeed.py:AST2x00Machine.test_arm_ast2600_evb_buildroot_tpm

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2086736/+subscriptions

More information about the foundations-bugs mailing list