Ubuntu
libvirt package

  1. Bug #1968187
  2. Comment #6

Comment 6 for bug 1968187

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We can add those - if we agree - as Ubuntu Delta kind of "right now" to fix it before release.
But the swtpm changes then shall be part of the upstreaming effort to Stefan that we planned anyway.
And the libvirt changes should go upstream there for the benefit of others as well.

Summary of changes needed across libvirt and swtpm packages/profiles:

ubuntu@swtpm-jammy:~$ for f in /etc/apparmor.d/abstractions/libvirt-qemu /etc/apparmor.d/usr.bin.swtpm /etc/apparmor.d/usr.sbin.libvirtd; do echo $f; diff -Naur $f.orig $f; done

/etc/apparmor.d/abstractions/libvirt-qemu

--- /etc/apparmor.d/abstractions/libvirt-qemu.orig 2022-04-12 11:51:00.834171997 +0000
+++ /etc/apparmor.d/abstractions/libvirt-qemu 2022-04-12 12:04:10.105197715 +0000
@@ -184,7 +184,7 @@
   audit deny /{var/,}run/qemu/*/*.so w,

   # swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
   /usr/{lib,lib64}/libswtpm_libtpms.so mr,
   /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,

@@ -230,6 +230,7 @@
   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
   unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),

   # allow access to charm-specific ceph config (LP: #1403648).
   # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579)

/etc/apparmor.d/usr.bin.swtpm

--- /etc/apparmor.d/usr.bin.swtpm.orig 2022-04-12 11:50:33.586205088 +0000
+++ /etc/apparmor.d/usr.bin.swtpm 2022-04-12 12:04:58.569137867 +0000
@@ -16,10 +16,15 @@

   network inet stream,
   network inet6 stream,
+
   unix (send) type=dgram addr=none peer=(addr=none),
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-*),

   owner /tmp/** rwk,
- owner /usr/bin/swtpm r,
+ /usr/bin/swtpm rm,
   owner /var/lib/libvirt/swtpm/** rwk,
+ /run/libvirt/qemu/swtpm/*.sock rwk,
+ owner /var/log/swtpm/libvirt/qemu/*.log rwk,
+ owner /run/libvirt/qemu/swtpm/*.pid rwk,
   owner /dev/vtpmx rw,
 }

/etc/apparmor.d/usr.sbin.libvirtd

--- /etc/apparmor.d/usr.sbin.libvirtd.orig 2022-04-12 11:58:44.725602007 +0000
+++ /etc/apparmor.d/usr.sbin.libvirtd 2022-04-12 11:59:23.193554346 +0000
@@ -58,6 +58,7 @@
   ptrace (read,trace) peer=dnsmasq,
   ptrace (read,trace) peer=/usr/sbin/dnsmasq,
   ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,

   signal (send) peer=dnsmasq,
   signal (send) peer=/usr/sbin/dnsmasq,