Ubuntu
swtpm package

Merge ~lvoytek/ubuntu/+source/swtpm:update-apparmor-to-upstream-kinetic into ubuntu/+source/swtpm:ubuntu/devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/swtpm
  3. update-apparmor-to-upstream-kinetic
  4. Merge into ubuntu/devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 700e2683b90c820426283402be5840a637616fed
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:update-apparmor-to-upstream-kinetic
Merge into: ubuntu/+source/swtpm:ubuntu/devel
Diff against target: 68 lines (+27/-2)
2 files modified
debian/changelog (+17/-0)
debian/usr.bin.swtpm (+10/-2)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Christian Ehrhardt  (community) Approve
Canonical Server Core Reviewers Pending
Canonical Server Reporter Pending
Review via email: mp+431370@code.launchpad.net

Description of the change

Updating swtpm apparmor profile to match upstream's configuration to fix some broken common usecases.

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-apparmor-match-upstream

Original conversation about additional rules to add was in the upstream merge request here:
https://github.com/stefanberger/swtpm/pull/691

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Bug LGTM, changes LGTM, Overall +1

And with the next version we will be able to just use the one from upstream then.

We are kind of last minute, so I'll sponsor it right away before final freeze (tomorrow)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

changelog explains well what is needed for what - that will be helpful if you plan to SRU it as well

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Double checked - $ git diff upstream/master -- debian/usr.bin.swtpm
 just shows the Author difference which is fine.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading swtpm_0.6.3-0ubuntu4.dsc
Uploading swtpm_0.6.3-0ubuntu4.debian.tar.xz
Uploading swtpm_0.6.3-0ubuntu4_source.buildinfo
Uploading swtpm_0.6.3-0ubuntu4_source.changes

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, lvoytek
Uploaders: paelzer
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 6ccf485..8091a44 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,20 @@
6+swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium
7+
8+ * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
9+ In between adding the apparmor profile to Ubuntu and merging upstream
10+ additional rules were used to cover more common use cases. (LP: #1992377)
11+ - The six capability lines fix the broken upstream unit test cases:
12+ test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
13+ test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
14+ - owner @{HOME}/** rwk was added as using a folder in one's home directory
15+ is common for managing tpm states
16+ - Access in the tmp directory is further generalized as this is where swtpm
17+ interacts with qemu and libvirt
18+ - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
19+ work
20+
21+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 11 Oct 2022 10:54:21 -0700
22+
23 swtpm (0.6.3-0ubuntu3) jammy; urgency=medium
24
25 * d/usr.bin.swtpm: Add additional apparmor rules
26diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
27index 386137b..56702ad 100644
28--- a/debian/usr.bin.swtpm
29+++ b/debian/usr.bin.swtpm
30@@ -1,7 +1,7 @@
31 # vim:syntax=apparmor
32 # AppArmor policy for swtpm
33 # Author: Lena Voytek <lena.voytek@canonical.com>
34-# Last Modified: Fri Feb 18 10:23:53 2022
35+# Last Modified: Tue Oct 11 10:53:05 2022
36
37 #include <tunables/global>
38
39@@ -12,7 +12,13 @@ profile swtpm /usr/bin/swtpm {
40 # Site-specific additions and overrides. See local/README for details.
41 #include <local/usr.bin.swtpm>
42
43+ capability chown,
44 capability dac_override,
45+ capability dac_read_search,
46+ capability fowner,
47+ capability fsetid,
48+ capability setgid,
49+ capability setuid,
50
51 network inet stream,
52 network inet6 stream,
53@@ -21,12 +27,14 @@ profile swtpm /usr/bin/swtpm {
54
55 /usr/bin/swtpm rm,
56
57- owner /tmp/** rwk,
58+ /tmp/** rwk,
59+ owner @{HOME}/** rwk,
60 owner /var/lib/libvirt/swtpm/** rwk,
61 /run/libvirt/qemu/swtpm/*.sock rwk,
62 owner /var/log/swtpm/libvirt/qemu/*.log rwk,
63 owner /run/libvirt/qemu/swtpm/*.pid rwk,
64 owner /dev/vtpmx rw,
65+ owner /etc/nsswitch.conf r,
66 owner /var/lib/swtpm/** rwk,
67 owner /run/swtpm/sock rw,
68 }

Subscribers

People subscribed via source and target branches

to all changes: