For test purpose I was adding
/usr/bin/swtpm PUx,
to /etc/apparmor.d/local/abstractions/libvirt-qemu
I can see the error that you mean, that is something apparmor fails to load.
One can call apparmor_parser directly to see more.
ubuntu@swtpm-jammy:~$ sudo apparmor_parser -r /etc/apparmor.d/libvirt/libvirt-8908c397-e4dc-4e8c-a758-2436264111cc
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile libvirt-8908c397-e4dc-4e8c-a758-2436264111cc, failed to load
I think that is due to the base-profile /etc/apparmor.d/abstractions/libvirt-qemu already containing:
/{usr/,}bin/swtpm rmix,
So we have two rules for the same confusing the parser.
Following: https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html
I've set this to "rmpix"
In regard to execution it before was "inherit execute" and now it is "discrete profile execute with inherit fallback" e.g. for any system not having a profile for swtpm.
That now loads fine into apparmor parser fine.
As follow on the behavior now needs a few more things in the swtpm profile:
fsuid=113 ouid=0 - that is swtpm (on disk) vs root (caller)
And that is an mmap rule needed for the binary when called this way.
owner /usr/bin/swtpm r,
->
/usr/bin/swtpm rm,
We do not need write here, so it stays safe.
This works, but as expected in this form of execution it will issue a whole other set of denials.
Logs of those that follow are:
[442672.673504] audit: type=1400 audit(1649764298.826:178): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/5-testguest-swtpm.sock" pid=52334 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113
[442803.733113] audit: type=1400 audit(1649764429.885:184): apparmor="DENIED" operation="open" profile="swtpm" name="/var/log/swtpm/libvirt/qemu/testguest-swtpm.log" pid=52370 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113
[442928.727819] audit: type=1400 audit(1649764554.877:196): apparmor="DENIED" operation="mknod" profile="swtpm" name="/run/libvirt/qemu/swtpm/8-testguest-swtpm.pid" pid=52441 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113
These are already running under swtpm (as we have configured libvirt) and would in general match.
So those can have "owner" rules.
After these swtpm runs fine, but libvirt needs to be allowed to talk to it
That needs a set of other allowances to let swtpm and guests talk via sockets
One is about libvirt ouid=64055 user working with the socket fsuid=113 under the swtpm profile - so we need to drop the "owner" there.
The two socket operations are in
/etc/apparmor.d/abstractions/libvirt-qemu:
unix (send, receive) type=stream addr=none peer=(label=swtpm),
/etc/apparmor.d/usr.bin.swtpm:
unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
With that it works, no errors at the host and the guest sees:
ubuntu@testguest:~$ sudo dmesg -w | grep -i tpm
[ 0.011058] ACPI: TPM2 0x000000001FFD28A9 00004C (v04 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.011078] ACPI: Reserving TPM2 table memory at [mem 0x1ffd28a9-0x1ffd28f4]
[ 4.346241] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
ubuntu@testguest:~$ ll /dev/tpm*
crw-rw---- 1 tss root 10, 224 Apr 12 12:05 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 Apr 12 12:05 /dev/tpmrm0
For test purpose I was adding d/local/ abstractions/ libvirt- qemu
/usr/bin/swtpm PUx,
to /etc/apparmor.
I can see the error that you mean, that is something apparmor fails to load.
One can call apparmor_parser directly to see more.
ubuntu@ swtpm-jammy: ~$ sudo apparmor_parser -r /etc/apparmor. d/libvirt/ libvirt- 8908c397- e4dc-4e8c- a758-2436264111 cc 8908c397- e4dc-4e8c- a758-2436264111 cc, failed to load
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile libvirt-
I think that is due to the base-profile /etc/apparmor. d/abstractions/ libvirt- qemu already containing:
/{usr/,}bin/swtpm rmix,
So we have two rules for the same confusing the parser.
Following: /manpages. ubuntu. com/manpages/ xenial/ man5/apparmor. d.5.html
https:/
I've set this to "rmpix"
In regard to execution it before was "inherit execute" and now it is "discrete profile execute with inherit fallback" e.g. for any system not having a profile for swtpm.
That now loads fine into apparmor parser fine.
As follow on the behavior now needs a few more things in the swtpm profile:
[442420.536942] audit: type=1400 audit(164976404 6.690:166) : apparmor="DENIED" operation= "file_mmap" profile="swtpm" name="/ usr/bin/ swtpm" pid=52183 comm="swtpm" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
fsuid=113 ouid=0 - that is swtpm (on disk) vs root (caller)
And that is an mmap rule needed for the binary when called this way.
owner /usr/bin/swtpm r,
->
/usr/bin/swtpm rm,
We do not need write here, so it stays safe.
This works, but as expected in this form of execution it will issue a whole other set of denials. 8.826:178) : apparmor="DENIED" operation="mknod" profile="swtpm" name="/ run/libvirt/ qemu/swtpm/ 5-testguest- swtpm.sock" pid=52334 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113 9.885:184) : apparmor="DENIED" operation="open" profile="swtpm" name="/ var/log/ swtpm/libvirt/ qemu/testguest- swtpm.log" pid=52370 comm="swtpm" requested_mask="ac" denied_mask="ac" fsuid=113 ouid=113 4.877:196) : apparmor="DENIED" operation="mknod" profile="swtpm" name="/ run/libvirt/ qemu/swtpm/ 8-testguest- swtpm.pid" pid=52441 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=113 ouid=113
Logs of those that follow are:
[442672.673504] audit: type=1400 audit(164976429
[442803.733113] audit: type=1400 audit(164976442
[442928.727819] audit: type=1400 audit(164976455
These are already running under swtpm (as we have configured libvirt) and would in general match.
So those can have "owner" rules.
After these swtpm runs fine, but libvirt needs to be allowed to talk to it
[443044.357969] audit: type=1400 audit(164976467 0.509:202) : apparmor="DENIED" operation="ptrace" profile="libvirtd" pid=33409 comm="rpc-libvirtd" requested_ mask="read" denied_mask="read" peer="swtpm"
ptrace (read,trace) peer=swtpm,
Once communication is established we see
[443159.280775] audit: type=1400 audit(164976478 5.429:249) : apparmor="DENIED" operation= "file_receive" profile="swtpm" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_ mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirt- 202a34a9- 2ee2-4826- b206-c249f535be 90" 5.429:250) : apparmor="DENIED" operation= "file_receive" profile= "libvirt- 202a34a9- 2ee2-4826- b206-c249f535be 90" pid=52548 comm="swtpm" family="unix" sock_type="stream" protocol=0 requested_ mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="swtpm" 5.429:251) : apparmor="DENIED" operation= "file_perm" profile="swtpm" name="/ run/libvirt/ qemu/swtpm/ 10-testguest- swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055 5.429:252) : apparmor="DENIED" operation= "file_perm" profile="swtpm" name="/ run/libvirt/ qemu/swtpm/ 10-testguest- swtpm.sock" pid=52548 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=113 ouid=64055
[443159.280788] audit: type=1400 audit(164976478
[443159.280948] audit: type=1400 audit(164976478
[443159.280957] audit: type=1400 audit(164976478
That needs a set of other allowances to let swtpm and guests talk via sockets
One is about libvirt ouid=64055 user working with the socket fsuid=113 under the swtpm profile - so we need to drop the "owner" there.
The two socket operations are in d/abstractions/ libvirt- qemu: d/usr.bin. swtpm: libvirt- *),
/etc/apparmor.
unix (send, receive) type=stream addr=none peer=(label=swtpm),
/etc/apparmor.
unix (send, receive) type=stream addr=none peer=(label=
With that it works, no errors at the host and the guest sees: 0x1ffd28f4]
ubuntu@testguest:~$ sudo dmesg -w | grep -i tpm
[ 0.011058] ACPI: TPM2 0x000000001FFD28A9 00004C (v04 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.011078] ACPI: Reserving TPM2 table memory at [mem 0x1ffd28a9-
[ 4.346241] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1, rev-id 1)
ubuntu@testguest:~$ ll /dev/tpm*
crw-rw---- 1 tss root 10, 224 Apr 12 12:05 /dev/tpm0
crw-rw---- 1 tss tss 253, 65536 Apr 12 12:05 /dev/tpmrm0
I'll summarize changes in the next comment