Ubuntu
swtpm package

Merge ~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-jammy into ubuntu/+source/swtpm:ubuntu/jammy-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/swtpm
  3. aa-sysadmin-lockfile-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: e8299dcc67bfbde40adef99fbc21058edfab4ff7
Proposed branch: ~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-jammy
Merge into: ubuntu/+source/swtpm:ubuntu/jammy-devel
Diff against target: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Bryce Harrington (community) Approve
Canonical Server Reporter Pending
Review via email: mp+470384@code.launchpad.net

Description of the change

Add some additional apparmor permissions to fix lockfile and tpm_vtpm_proxy module access

The change for jammy is the same as oracular and noble, the original mp is here: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/468957

noble mp is here: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/470383

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-add-sys-admin

Testing:

sys_admin test steps

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm apparmor -y

$ mkdir /tmp/myvtpm

# Before fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y

# After fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)

lockfile test steps

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm virt-manager apparmor -y

# Create a vm with virt-manager that uses a TPM2 device and start it
# A directory will show up in /var/lib/libvirt/swtpm/ using the vm's ID, such as:
# /var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
swtpm: SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied

# Stop vm and update
$ sudo add-apt-repository ppa:lvoytek/swtpm-add-sys-admin
$ sudo apt update && sudo apt upgrade -y
$ sudo killall swtpm

# Start vm again

$ sudo swtpm socket --print-states --tpmstate dir=/var/lib/libvirt/swtpm/ab930d41-1600-4987-bfb0-34107be38cc5/tpm2,mode=0600
{ "type": "swtpm", "states": [] }

To post a comment you must log in.
Revision history for this message
Bryce Harrington (bryce) wrote :

Same review as on mp:lvoytek/swtpm/470383

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, bryce
Uploaders: lvoytek, bryce
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Uploaded:

dput ubuntu ../swtpm_0.6.3-0ubuntu3.3_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../swtpm_0.6.3-0ubuntu3.3_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../swtpm_0.6.3-0ubuntu3.3.dsc: Valid signature from 34B8AD7D9529E793
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading swtpm_0.6.3-0ubuntu3.3.dsc: done.
  Uploading swtpm_0.6.3-0ubuntu3.3.debian.tar.xz: done.
  Uploading swtpm_0.6.3-0ubuntu3.3_source.buildinfo: done.
  Uploading swtpm_0.6.3-0ubuntu3.3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 91f618e..9196b1a 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+swtpm (0.6.3-0ubuntu3.3) jammy; urgency=medium
7+
8+ * d/usr.bin.swtpm:
9+ - Add sys_admin capability to apparmor profile to allow access to kernel
10+ modules such as tpm_vtpm_proxy (LP: #2071478)
11+ - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
12+ apparmor denials when working with TPM2 locks (LP: #2072524)
13+
14+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 30 Jul 2024 15:22:09 -0700
15+
16 swtpm (0.6.3-0ubuntu3.2) jammy; urgency=medium
17
18 * d/p/create-user-config-files-use-correct-swtpm-localca.patch: Fix the path
19diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
20index 56702ad..bc76928 100644
21--- a/debian/usr.bin.swtpm
22+++ b/debian/usr.bin.swtpm
23@@ -19,6 +19,7 @@ profile swtpm /usr/bin/swtpm {
24 capability fsetid,
25 capability setgid,
26 capability setuid,
27+ capability sys_admin,
28
29 network inet stream,
30 network inet6 stream,
31@@ -30,6 +31,7 @@ profile swtpm /usr/bin/swtpm {
32 /tmp/** rwk,
33 owner @{HOME}/** rwk,
34 owner /var/lib/libvirt/swtpm/** rwk,
35+ /var/lib/libvirt/swtpm/** wk,
36 /run/libvirt/qemu/swtpm/*.sock rwk,
37 owner /var/log/swtpm/libvirt/qemu/*.log rwk,
38 owner /run/libvirt/qemu/swtpm/*.pid rwk,

Subscribers

People subscribed via source and target branches

to all changes: