Merge ~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-noble into ubuntu/+source/swtpm:ubuntu/noble-devel

Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: c4e84839fee686d6160cff2bc6cccc2558eada83
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-noble
Merge into: ubuntu/+source/swtpm:ubuntu/noble-devel
Diff against target: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+470383@code.launchpad.net

Description of the change

Add some additional apparmor permissions to fix lockfile and tpm_vtpm_proxy module access

The change for noble is the same as oracular, the original mp is here: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/468957

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-add-sys-admin

Testing:

sys_admin test steps

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm apparmor -y

$ mkdir /tmp/myvtpm

# Before fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y

# After fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)

lockfile test steps

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm virt-manager apparmor -y

# Create a vm with virt-manager that uses a TPM2 device and start it
# A directory will show up in /var/lib/libvirt/swtpm/ using the vm's ID, such as:
# /var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied

# Stop vm and update
$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y
$ sudo killall swtpm

# Start vm again

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
{ "type": "swtpm", "states": [] }

To post a comment you must log in.
Revision history for this message
Lena Voytek (lvoytek) wrote :
Revision history for this message
Bryce Harrington (bryce) wrote :

I'd reviewed the oracular merge previously, and ran through the test case to validate it already: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/468957

I did not re-verify the test case, since it'll be done for the SRU acceptance step anyway. But this looks like it correctly carries the changes. I've triggered one autopkgtest run against this for amd64, so you might doublecheck that passes when you are ready to upload. Otherwise, LGTM, +1.

$ ppa tests https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-add-sys-admin

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, bryce
Uploaders: lvoytek, bryce
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the review! autopkgtest passed, uploaded:

dput ubuntu ../swtpm_0.7.3-0ubuntu5.24.04.1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../swtpm_0.7.3-0ubuntu5.24.04.1_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../swtpm_0.7.3-0ubuntu5.24.04.1.dsc: Valid signature from 34B8AD7D9529E793
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading swtpm_0.7.3-0ubuntu5.24.04.1.dsc: done.
  Uploading swtpm_0.7.3-0ubuntu5.24.04.1.debian.tar.xz: done.
  Uploading swtpm_0.7.3-0ubuntu5.24.04.1_source.buildinfo: done.
  Uploading swtpm_0.7.3-0ubuntu5.24.04.1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 73d00ae..281265b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+swtpm (0.7.3-0ubuntu5.24.04.1) noble; urgency=medium
7+
8+ * d/usr.bin.swtpm:
9+ - Add sys_admin capability to apparmor profile to allow access to kernel
10+ modules such as tpm_vtpm_proxy (LP: #2071478)
11+ - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
12+ apparmor denials when working with TPM2 locks (LP: #2072524)
13+
14+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 30 Jul 2024 15:16:43 -0700
15+
16 swtpm (0.7.3-0ubuntu5) noble; urgency=medium
17
18 * Add patch to force the buildsystem to build with -D_FORTIFY_SOURCE=3
19diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
20index f5f1273..c52894d 100644
21--- a/debian/usr.bin.swtpm
22+++ b/debian/usr.bin.swtpm
23@@ -19,6 +19,7 @@ profile swtpm /usr/bin/swtpm {
24 capability fsetid,
25 capability setgid,
26 capability setuid,
27+ capability sys_admin,
28
29 network inet stream,
30 network inet6 stream,
31@@ -30,6 +31,7 @@ profile swtpm /usr/bin/swtpm {
32 /tmp/** rwk,
33 owner @{HOME}/** rwk,
34 owner /var/lib/libvirt/swtpm/** rwk,
35+ /var/lib/libvirt/swtpm/** wk,
36 /run/libvirt/qemu/swtpm/*.sock rwk,
37 owner /run/user/[0-9]*/libvirt/qemu/run/swtpm/*.sock rwk,
38 owner /var/log/swtpm/libvirt/qemu/*.log rwk,

Subscribers

People subscribed via source and target branches

to all changes: