Merge ~lvoytek/ubuntu/+source/libvirt:libvirt-fix-swtpm-apparmor-rules into ubuntu/+source/libvirt:ubuntu/devel

Proposed by Lena Voytek
Status: Merged
Merged at revision: 8d587bbb1382323a626311051c34a4725952080b
Proposed branch: ~lvoytek/ubuntu/+source/libvirt:libvirt-fix-swtpm-apparmor-rules
Merge into: ubuntu/+source/libvirt:ubuntu/devel
Diff against target: 66 lines (+44/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch (+35/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Pending
Review via email: mp+419329@code.launchpad.net

Description of the change

Allow swtpm to use its own apparmor profile when run by libvirt and add swtpm interaction permissions

See also: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/419328

ppa: ppa:lvoytek/swtpm-fix-apparmor-libvirt

tested by setting up a Windows 11 instance using virt-manager and qemu on its own

tested standalone swtpm

Test details:

Runing help and version:

$ swtpm --help
$ swtpm --version

Using QEMU:

$ /usr/share/swtpm/swtpm-create-user-config-files
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir /tmp/emulated_tpm
$ swtpm socket --tpmstate dir=/tmp/emulated_tpm --ctrl type=unixio,path=/tmp/emulated_tpm/swtpm-sock --log level=20 --tpm2 &
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,id=chrtpm,path=/tmp/emulated_tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -cdrom ~/Downloads/Win11_English_x64v1.iso

Using virt-manager

> Open virt-manager
> Click New Virtual Machine button

Step 1:
> Select "Local install media (ISO image or CDROM)
> Click Forward

Step 2:
> Click Browse and find Windows 11 iso
> Select "Automatically detect from the installation media / source"
> Click Forward

Step 3:
> Use >= 4096 MiB for Memory
> Use >= 2 CPUs
> Click Forward

Step 4:
> Select "Enable storage for this virtual machine"
> Use >= 70 GiB for storage size
> Click Forward

Step 5:
> Select "Customize configuration before install"
> Click Finish

Config Screen:
> For Overview > Firmware select UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
> For Boot Options select "SATA CDROM 1" and move it to top

> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0

> Click "Begin Installation"

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I tested my prior repro for these bugs using a uvt-kvm testguest with TPM.
Worked fine as well

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

In another case I'd have asked to add "Forwarded: no" or anything like it.
But I know that you'll do that in the next few days so this should be fine as-is.

You have the bug linked, let us just ensure to leave a trace on the bug once submitted.

Otherwise working in tests and matching the proposed changes discussed in the bug.

Also the rules to the rather lenient libvirt are in itself rather strict (talk ptrace/unix to one particular peer label, and allow to enter a label for swtpm if present) - that isn't concerning in regard to the service isolation.

+1

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

We are still before final freeze, this is an critical fix for an important new function and many teams/tests depend on it. Uploading now ...

Uploading libvirt_8.0.0-1ubuntu7.dsc
Uploading libvirt_8.0.0-1ubuntu7.debian.tar.xz
Uploading libvirt_8.0.0-1ubuntu7_source.buildinfo
Uploading libvirt_8.0.0-1ubuntu7_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e9be033..21d2520 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+libvirt (8.0.0-1ubuntu7) jammy; urgency=medium
7+
8+ * d/p/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch: Patch the libvirtd
9+ and libvirt-qemu apparmor profiles to allow swtpm to use its own profile
10+ (LP: #1968187)
11+
12+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 12 Apr 2022 10:04:05 -0700
13+
14 libvirt (8.0.0-1ubuntu6) jammy; urgency=medium
15
16 * d/control: recommend swtpm-tools (LP: #1948748)
17diff --git a/debian/patches/series b/debian/patches/series
18index 6968446..b54e08b 100644
19--- a/debian/patches/series
20+++ b/debian/patches/series
21@@ -31,3 +31,4 @@ ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch
22 ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch
23 ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
24 ubuntu/swtpm-by-swtpm-user.patch
25+ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
26diff --git a/debian/patches/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch b/debian/patches/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
27new file mode 100644
28index 0000000..d478f14
29--- /dev/null
30+++ b/debian/patches/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
31@@ -0,0 +1,35 @@
32+Description: Update libvirt and qemu apparmor profiles to allow swtpm to use its own profile
33+Author: Lena Voytek <lena.voytek@canonical.com>
34+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1968187
35+Last-Update: 2022-04-12
36+---
37+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
38+--- a/src/security/apparmor/libvirt-qemu
39++++ b/src/security/apparmor/libvirt-qemu
40+@@ -184,7 +184,7 @@
41+ audit deny /{var/,}run/qemu/*/*.so w,
42+
43+ # swtpm
44+- /{usr/,}bin/swtpm rmix,
45++ /{usr/,}bin/swtpm rmpix,
46+ /usr/{lib,lib64}/libswtpm_libtpms.so mr,
47+ /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
48+
49+@@ -230,6 +230,7 @@
50+ unix (send, receive) type=stream addr=none peer=(label=libvirtd),
51+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
52+ unix (send, receive) type=stream addr=none peer=(label=virtqemud),
53++ unix (send, receive) type=stream addr=none peer=(label=swtpm),
54+
55+ # allow access to charm-specific ceph config (LP: #1403648).
56+ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579)
57+--- a/src/security/apparmor/usr.sbin.libvirtd.in
58++++ b/src/security/apparmor/usr.sbin.libvirtd.in
59+@@ -58,6 +58,7 @@
60+ ptrace (read,trace) peer=dnsmasq,
61+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
62+ ptrace (read,trace) peer=libvirt-*,
63++ ptrace (read,trace) peer=swtpm,
64+
65+ signal (send) peer=dnsmasq,
66+ signal (send) peer=/usr/sbin/dnsmasq,

Subscribers

People subscribed via source and target branches