Ubuntu
swtpm package

Merge ~lvoytek/ubuntu/+source/swtpm:update-apparmor-to-upstream-jammy into ubuntu/+source/swtpm:ubuntu/jammy-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/swtpm
  3. update-apparmor-to-upstream-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: ec80a8ffbe613d83c54bea1203521a4e2d0798f1
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:update-apparmor-to-upstream-jammy
Merge into: ubuntu/+source/swtpm:ubuntu/jammy-devel
Diff against target: 68 lines (+27/-2)
2 files modified
debian/changelog (+17/-0)
debian/usr.bin.swtpm (+10/-2)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Christian Ehrhardt  (community) Approve
Steve Langasek (community) Abstain
Canonical Server Reporter Pending
Review via email: mp+433148@code.launchpad.net

Description of the change

Updating swtpm apparmor profile to match upstream's configuration to fix some broken common usecases.

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-apparmor-match-upstream

Original conversation about additional rules to add was in the upstream merge request here:
https://github.com/stefanberger/swtpm/pull/691

Kinetic Merge: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/431370

To post a comment you must log in.
Revision history for this message
Lena Voytek (lvoytek) wrote :

@vorlon feel free to review this change if you would like / have the time

Revision history for this message
Steve Langasek (vorlon) wrote :

> @vorlon feel free to review this change if you would like / have the time

Pass

review: Abstain
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

+1
- This matches the upstream discussion
- this is only getting less strict (which means much less chance to regress in place)
- all changes have a defined reasonable use case backing up why it is added

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, lvoytek
Uploaders: paelzer
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Looks like the Jammy upload got rejected a while back. @Christian would you be willing to re-upload this change?

I got a notification from Stefan about this today here:
https://github.com/stefanberger/swtpm/issues/797#issuecomment-1512099570

Testing against the PPA, this change still fixes the issue brought up, although I need to dig into @DATAROOTDIR@ afterward too:

$ multipass launch 22.04 --name test-swtpm
$ multipass shell test-swtpm

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm swtpm-tools software-properties-common -y

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as ubuntu:ubuntu @ Mon 17 Apr 2023 10:28:01 PM UTC
swtpm process terminated unexpectedly.
Could not start the TPM 2.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 17 Apr 2023 10:28:01 PM UTC

$ sudo add-apt-repository ppa:lvoytek/swtpm-apparmor-match-upstream
$ sudo apt update && sudo apt upgrade -y

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as ubuntu:ubuntu @ Mon 17 Apr 2023 10:29:49 PM UTC
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH.
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 17 Apr 2023 10:29:49 PM UTC

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Re-checked and indeed not there.
Re-uploaded (I must admit I'm not entirely sure I did before, but surely now).

Uploading swtpm_0.6.3-0ubuntu3.1.dsc
Uploading swtpm_0.6.3-0ubuntu3.1.debian.tar.xz
Uploading swtpm_0.6.3-0ubuntu3.1_source.buildinfo
Uploading swtpm_0.6.3-0ubuntu3.1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 6ccf485..fd88eee 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,20 @@
6+swtpm (0.6.3-0ubuntu3.1) jammy; urgency=medium
7+
8+ * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
9+ In between adding the apparmor profile to Ubuntu and merging upstream
10+ additional rules were used to cover more common use cases. (LP: #1992377)
11+ - The six capability lines fix the broken upstream unit test cases:
12+ test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
13+ test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
14+ - owner @{HOME}/** rwk was added as using a folder in one's home directory
15+ is common for managing tpm states
16+ - Access in the tmp directory is further generalized as this is where swtpm
17+ interacts with qemu and libvirt
18+ - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
19+ work
20+
21+ -- Lena Voytek <lena.voytek@canonical.com> Wed, 16 Nov 2022 13:54:54 -0700
22+
23 swtpm (0.6.3-0ubuntu3) jammy; urgency=medium
24
25 * d/usr.bin.swtpm: Add additional apparmor rules
26diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
27index 386137b..56702ad 100644
28--- a/debian/usr.bin.swtpm
29+++ b/debian/usr.bin.swtpm
30@@ -1,7 +1,7 @@
31 # vim:syntax=apparmor
32 # AppArmor policy for swtpm
33 # Author: Lena Voytek <lena.voytek@canonical.com>
34-# Last Modified: Fri Feb 18 10:23:53 2022
35+# Last Modified: Tue Oct 11 10:53:05 2022
36
37 #include <tunables/global>
38
39@@ -12,7 +12,13 @@ profile swtpm /usr/bin/swtpm {
40 # Site-specific additions and overrides. See local/README for details.
41 #include <local/usr.bin.swtpm>
42
43+ capability chown,
44 capability dac_override,
45+ capability dac_read_search,
46+ capability fowner,
47+ capability fsetid,
48+ capability setgid,
49+ capability setuid,
50
51 network inet stream,
52 network inet6 stream,
53@@ -21,12 +27,14 @@ profile swtpm /usr/bin/swtpm {
54
55 /usr/bin/swtpm rm,
56
57- owner /tmp/** rwk,
58+ /tmp/** rwk,
59+ owner @{HOME}/** rwk,
60 owner /var/lib/libvirt/swtpm/** rwk,
61 /run/libvirt/qemu/swtpm/*.sock rwk,
62 owner /var/log/swtpm/libvirt/qemu/*.log rwk,
63 owner /run/libvirt/qemu/swtpm/*.pid rwk,
64 owner /dev/vtpmx rw,
65+ owner /etc/nsswitch.conf r,
66 owner /var/lib/swtpm/** rwk,
67 owner /run/swtpm/sock rw,
68 }

Subscribers

People subscribed via source and target branches

to all changes: