Ubuntu
libvirt package

  1. Bug #1968187
  2. Comment #5

Comment 5 for bug 1968187

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For test purpose I was adding
  /usr/bin/swtpm PUx,
to /etc/apparmor.d/local/abstractions/libvirt-qemu

I can see the error that you mean, that is something apparmor fails to load.
One can call apparmor_parser directly to see more.

ubuntu@swtpm-jammy:~$ sudo apparmor_parser -r /etc/apparmor.d/libvirt/libvirt-8908c397-e4dc-4e8c-a758-2436264111cc
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile libvirt-8908c397-e4dc-4e8c-a758-2436264111cc, failed to load

I think that is due to the base-profile /etc/apparmor.d/abstractions/libvirt-qemu already containing:
  /{usr/,}bin/swtpm rmix,

So we have two rules for the same confusing the parser.

Following:
https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html
I've set this to "rmpix"
In regard to execution it before was "inherit execute" and now it is "discrete profile execute with inherit fallback" e.g. for any system not having a profile for swtpm.

That now loads fine into apparmor parser fine.

As follow on the behavior now needs a few more things in the swtpm profile:

[442420.536942] audit: type=1400 audit(1649764046.690:166): apparmor="DENIED" operation="file_mmap" profile="swtpm" name="/usr/bin/swtpm" pid=52183 comm="swtpm" requested_mask="r" denied_mask="r" fsuid=113 ouid=0

fsuid=113 ouid=0 - that is swtpm (on disk) vs root (caller)
And that is an mmap rule needed for the binary when called this way.

owner /usr/bin/swtpm r,
->
/usr/bin/swtpm rm,

We do not need write here, so it stays safe.

This works, but as expected in this form of execution it will issue a whole other set of denials.
Logs of those that follow are:
[442672.673504] audit: type=1400 audit(1649764298.826:178): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/5-testguest-swtpm.sock" pid=52334 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113
[442803.733113] audit: type=1400 audit(1649764429.885:184): apparmor="DENIED" operation="open" profile="swtpm" name="/var/log/swtpm/libvirt/qemu/testguest-swtpm.log" pid=52370 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
[442928.727819] audit: type=1400 audit(1649764554.877:196): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/8-testguest-swtpm.pid" pid=52441 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113

These are already running under swtpm (as we have configured libvirt) and would in general match.
So those can have "owner" rules.

After these swtpm runs fine, but libvirt needs to be allowed to talk to it

[443044.357969] audit: type=1400 audit(1649764670.509:202): apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=33409 comm="rpc-libvirtd" requested_mask="read" denied_mask="read" peer="swtpm"

  ptrace (read,trace) peer=swtpm,

Once communication is established we see

[443159.280775] audit: type=1400 audit(1649764785.429:249): apparmor="DENIED" operation="file_receive" profile="swtpm" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirt-202a34a9-2ee2-4826-b206-c249f535be90"
[443159.280788] audit: type=1400 audit(1649764785.429:250): apparmor="DENIED" operation="file_receive" profile="libvirt-202a34a9-2ee2-4826-b206-c249f535be90" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="swtpm"
[443159.280948] audit: type=1400 audit(1649764785.429:251): apparmor="DENIED" operation="file_perm" profile="swtpm" name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055
[443159.280957] audit: type=1400 audit(1649764785.429:252): apparmor="DENIED" operation="file_perm" profile="swtpm" name="/run/libvirt/qemu/swtpm/10-testguest-swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055

That needs a set of other allowances to let swtpm and guests talk via sockets

One is about libvirt ouid=64055 user working with the socket fsuid=113 under the swtpm profile - so we need to drop the "owner" there.

The two socket operations are in
/etc/apparmor.d/abstractions/libvirt-qemu:
  unix (send, receive) type=stream addr=none peer=(label=swtpm),
/etc/apparmor.d/usr.bin.swtpm:
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),

With that it works, no errors at the host and the guest sees:
ubuntu@testguest:~$ sudo dmesg -w | grep -i tpm
[ 0.011058] ACPI: TPM2 0x000000001FFD28A9 00004C (v04 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.011078] ACPI: Reserving TPM2 table memory at [mem 0x1ffd28a9-0x1ffd28f4]
[ 4.346241] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
ubuntu@testguest:~$ ll /dev/tpm*
crw-rw---- 1 tss root 10, 224 Apr 12 12:05 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 Apr 12 12:05 /dev/tpmrm0

I'll summarize changes in the next comment