Merge ~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular into ubuntu/+source/swtpm:ubuntu/devel

Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merge reported by: Lena Voytek
Merged at revision: 795ee39205026106b218181e866fb501bb380485
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular
Merge into: ubuntu/+source/swtpm:ubuntu/devel
Diff against target: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+468957@code.launchpad.net

Description of the change

Add some additional apparmor permissions to fix lockfile and tpm_vtpm_proxy module access

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-add-sys-admin

Testing:

sys_admin test steps

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm apparmor -y

$ mkdir /tmp/myvtpm

# Before fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y

# After fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)

lockfile test steps

$ sudo apt update && apt dist-upgrade -y
$ sudo apt install swtpm virt-manager apparmor -y

# Create a vm with virt-manager that uses a TPM2 device and start it
# A directory will show up in /var/lib/libvirt/swtpm/ using the vm's ID, such as:
# /var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied

# Stop vm and update
$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y
$ sudo killall swtpm

# Start vm again

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
{ "type": "swtpm", "states": [] }

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

All looks like it checks out.

Thank you for the almost-paint-by-numbers test cases, this will feed directly into the SRU test case. Only improvement would be a canned vm creation cmdline; I inadvertently created a container off the bat.

Oh, also minor note that this:

    $ sudo apt update && apt dist-upgrade -y

Should be:

    $ sudo apt update
    $ sudo apt dist-upgrade -y

Everything else looks good, and packaging work is correct. +1 LGTM.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, bryce
Uploaders: lvoytek, bryce
MP auto-approved

review: Approve
795ee39... by Lena Voytek

changelog

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks Bryce! Specifying vm is a good point, I'll note that in the SRU template. A new update was just posted to fix autopkgtests, rebased and uploading:

dput ubuntu ../swtpm_0.7.3-0ubuntu7_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../swtpm_0.7.3-0ubuntu7_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../swtpm_0.7.3-0ubuntu7.dsc: Valid signature from 34B8AD7D9529E793
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading swtpm_0.7.3-0ubuntu7.dsc: done.
  Uploading swtpm_0.7.3-0ubuntu7.debian.tar.xz: done.
  Uploading swtpm_0.7.3-0ubuntu7_source.buildinfo: done.
  Uploading swtpm_0.7.3-0ubuntu7_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 57521a6..25c8330 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+swtpm (0.7.3-0ubuntu7) oracular; urgency=medium
7+
8+ * d/usr.bin.swtpm:
9+ - Add sys_admin capability to apparmor profile to allow access to kernel
10+ modules such as tpm_vtpm_proxy (LP: #2071478)
11+ - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
12+ apparmor denials when working with TPM2 locks (LP: #2072524)
13+
14+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 09 Jul 2024 06:06:00 -0700
15+
16 swtpm (0.7.3-0ubuntu6) oracular; urgency=medium
17
18 * Fix autopkgtests following dpkg changes (LP: #2071468)
19diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
20index f5f1273..c52894d 100644
21--- a/debian/usr.bin.swtpm
22+++ b/debian/usr.bin.swtpm
23@@ -19,6 +19,7 @@ profile swtpm /usr/bin/swtpm {
24 capability fsetid,
25 capability setgid,
26 capability setuid,
27+ capability sys_admin,
28
29 network inet stream,
30 network inet6 stream,
31@@ -30,6 +31,7 @@ profile swtpm /usr/bin/swtpm {
32 /tmp/** rwk,
33 owner @{HOME}/** rwk,
34 owner /var/lib/libvirt/swtpm/** rwk,
35+ /var/lib/libvirt/swtpm/** wk,
36 /run/libvirt/qemu/swtpm/*.sock rwk,
37 owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
38 owner /var/log/swtpm/libvirt/qemu/*.log rwk,

Subscribers

People subscribed via source and target branches

to all changes: