Merge ~lvoytek/ubuntu/+source/swtpm:swtpm-lp1950631-add-apparmor-jammy into ubuntu/+source/swtpm:ubuntu/devel

Hi,

this looks worthwhile, however it looks like as is the profile would cause me trouble. We have a project making heavy use of swtpm with kvm (not libvirt) with custom profiles. I assume that allowing full access to ${HOME} would make you uncomfortable?

> Hi,
>
> this looks worthwhile, however it looks like as is the profile would cause me
> trouble. We have a project making heavy use of swtpm with kvm (not libvirt)
> with custom profiles. I assume that allowing full access to ${HOME} would
> make you uncomfortable?

Hello,

Thanks for the feedback. I think home access can be added since that is an important use case. If that ends up being too nonrestrictive then it can be updated later on. I will update the commits to add it in

Hi Serge, long time not seen, glad that you are still around!

@Serge:
On one hand I wonder if the owner restriction as shown now:
  owner @{HOME}/** rwk,
would work for you?
What users do your use case run swtpm as and would that work then?

@Serge;
Furthermore, how common is that setup of yours?
Even if you are unable to talk about details, is it "a very special things unlikely to happen generally around the world", or is it more like "you don't know yet, but in a year everyone will be doing that"?

If it is anywhere close to the former I'd suggest in that case it might make sense to just put a rule int he local override /etc/apparmor.d/local/usr.bin.swtpm

@Lena
Which does bring me to that as a question - IIRC dh_apparmor will automatically add a template for the local overrides in /etc/apparmor.d/local/usr.bin.swtpm - could you confirm that?
If it does not we need to fix that.
And once it does I think we then need an include here in your profile like
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.libvirtd>
Or is that include also added automatically nowadays and I missed that feature?

@Lena
looking at this initial profile also a question about
  include <abstractions/libvirt-qemu>
Did your experiments end up with a profile very close to this abstraction so that you added it?
Or was this just the assumption that it needs to be used in libvirt/qemu scope?

Because that abstraction allows a lot that I'd expect swtpm to not need.
After all it is more like

qemu (does qemu things) - needs abstractions/libvirt-qemu
 ^
 |
 v
socket
 ^
 |
 v
swtpm (does swtpm things) does not need abstractions/libvirt-qemu

base, ssl, common used paths, that all LGTM, but the libvirt-qemu abstraction I'm not sure.
Happy to get explained why I'm wrong :-)

I hope this alignment survives, but TL;DR without studying it further the abstractions/libvirt-qemu seems too much for swtpm.

> @Lena
> looking at this initial profile also a question about
> include <abstractions/libvirt-qemu>
> Did your experiments end up with a profile very close to this abstraction so
> that you added it?
> Or was this just the assumption that it needs to be used in libvirt/qemu
> scope?
>
> Because that abstraction allows a lot that I'd expect swtpm to not need.
> After all it is more like
>
>
> qemu (does qemu things) - needs abstractions/libvirt-qemu
> ^
> |
> v
> socket
> ^
> |
> v
> swtpm (does swtpm things) does not need abstractions/libvirt-qemu
>
> base, ssl, common used paths, that all LGTM, but the libvirt-qemu abstraction
> I'm not sure.
> Happy to get explained why I'm wrong :-)
>
> I hope this alignment survives, but TL;DR without studying it further the
> abstractions/libvirt-qemu seems too much for swtpm.

That's fair. When building the profile aa-logprof recommended I add it in because swtpm wanted to use multiple permissions from it. In its current state though, when I take the include out and put it in complain mode, it only needs the capability dac_override from it. Do you think it would be better to just add that instead, and should I try to restrict it further?

Thanks!

> Hi Serge, long time not seen, glad that you are still around!
>
> @Serge:
> On one hand I wonder if the owner restriction as shown now:
> owner @{HOME}/** rwk,
> would work for you?
> What users do your use case run swtpm as and would that work then?
>
> @Serge;
> Furthermore, how common is that setup of yours?
> Even if you are unable to talk about details, is it "a very special things
> unlikely to happen generally around the world", or is it more like "you don't
> know yet, but in a year everyone will be doing that"?
>
> If it is anywhere close to the former I'd suggest in that case it might make
> sense to just put a rule int he local override
> /etc/apparmor.d/local/usr.bin.swtpm
>
> @Lena
> Which does bring me to that as a question - IIRC dh_apparmor will
> automatically add a template for the local overrides in
> /etc/apparmor.d/local/usr.bin.swtpm - could you confirm that?
> If it does not we need to fix that.
> And once it does I think we then need an include here in your profile like
> # Site-specific additions and overrides. See local/README for details.
> #include <local/usr.sbin.libvirtd>
> Or is that include also added automatically nowadays and I missed that
> feature?

I can confirm that the local usr.bin.swtpm gets created automatically but is a blank file by default. I could modify the install such that it gets created with helpful info though

I made a tiny suggestion based on https://gitlab.com/apparmor/apparmor/-/wikis/DeprecateProfilePathName

> I made a tiny suggestion based on
> https://gitlab.com/apparmor/apparmor/-/wikis/DeprecateProfilePathName

Thanks for the help! Got the profile name updated

> > I hope this alignment survives, but TL;DR without studying it further the
> > abstractions/libvirt-qemu seems too much for swtpm.
>
> That's fair. When building the profile aa-logprof recommended I add it in because swtpm wanted to use multiple permissions from it. In its current state though, when I take the include out and put it in complain mode, it only needs the capability dac_override from it. Do you think it would be better to just add that instead, and should I try to restrict it further?

Yes - This abstraction reflects a different use-case and therefore
isn't really applicable
I think removing abstractions/libvirt-qemu and instead adding what you
really need is better.

> > # Site-specific additions and overrides. See local/README for details.
> > #include <local/usr.sbin.libvirtd>
...
> I can confirm that the local usr.bin.swtpm gets created automatically but is a blank file by default. I could modify the install such that it gets created with helpful info though

The empty template is just fine IMHO - that is the default for all
files and the apparmor man pages explain all that is needed.
But adding that include I mentioned would be needed.
Also that comment above the include points to the README which also
explains how these local overrides are meant to work.

Tested the local include and dac_override and both are working properly for the above testcases

It's not a secret thing at all, we just haven't yet open sourced
what we're doing only bc there are many moving parts. The
relevent part here is a bit like

    https://github.com/puzzleos/uefi-dev
    https://github.com/puzzleos/uefi-dev/blob/main/tools/run-sw-tpm

except written in golang (and more purpose driven).

So I think you're right about the local override being the
way. Giving swtpm full reign over $HOME is probably too much.
We should probably either

1. drop the ${HOME}/** rwk,

or pick a subdir like

2. ${HOME}/.cache/swtpm/** rwk

But whichever way you go, +1 from me, thank you.

> It's not a secret thing at all, we just haven't yet open sourced
> what we're doing only bc there are many moving parts. The
> relevent part here is a bit like
>
> https://github.com/puzzleos/uefi-dev
> https://github.com/puzzleos/uefi-dev/blob/main/tools/run-sw-tpm
>
> except written in golang (and more purpose driven).
>
> So I think you're right about the local override being the
> way. Giving swtpm full reign over $HOME is probably too much.
> We should probably either
>
> 1. drop the ${HOME}/** rwk,
>
> or pick a subdir like
>
> 2. ${HOME}/.cache/swtpm/** rwk
>
> But whichever way you go, +1 from me, thank you.

The subdir addition seems reasonable to me because its specific to swtpm so I added that in. Thanks for the feedback!

Hi,

you say:

> The subdir addition seems reasonable to me because its specific to swtpm so I added that in.

but I'm not seeing it in the patch below. Can you double-check that the right thing got pushed?

thanks :)

> Hi,
>
> you say:
>
> > The subdir addition seems reasonable to me because its specific to swtpm so
> I added that in.
>
> but I'm not seeing it in the patch below. Can you double-check that the right
> thing got pushed?
>
> thanks :)

Hi,

I just talked with Simon about it, and I think it may be best to go with option 1 and just reference the home directory via the local profile instead.

Thanks!

Thanks.

Added in network streams and /dev/vtpmx, autopkgtests now passing successfully

It seems we do not enable the "cuse" option yet, so their need for /dev/* isn't relevant yet.
You have covered the common use cases AFAICS and IMHO it is better to start slightly too secure and amend the profile if valid use cases are reported instead of starting way too open.

+1 to this

What we need from now is (both can be started and worked on independently):
1. Get FFE Ack by the release team and this uploaded to Jammy
2. Send this to swtpm upstream

If out of #2 there are modifications to the profile we can then later SRU them.

FFE approved and sponsored - thanks!