On Tue, 5 Nov 2024 at 17:02, Stefan Berger <stef...@linux.ibm.com> wrote: > On 11/5/24 11:14 AM, Peter Maydell wrote: > > Q1: why is apparmor forbidding swtpm from doing something that > > it needs to do to work? > > What distro and version is this? > > The profile may be too strict and not reflecting all the paths needed > for running the test cases. Ubuntu for example would have to update > their profile in such a case.
This is Ubuntu 22.04 "jammy" (with swtpm 0.6.3-0ubuntu3.3). > > Q2: is there a way to run swtpm such that it is not > > confined by apparmor, for purposes of running it in a test case? > > Try either one: > - sudo aa-complain /usr/bin/swtpm > - sudo aa-disable /usr/bin/swtpm We don't have root access from QEMU's 'make check', though (and shouldn't be globally disabling apparmor even if we could). I had in mind more a way that an individual user can say "run this swtpm process but don't apply the apparmor profile to it". > > Q3: if not, is there a way to at least detect that swtpm is > > broken on this system so we can skip the test case? > > It's not swtpm that is broken but the AppArmor profile is too strict. > Above command lines should work. But this is a widely deployed distro in its default configuration. We have to either work with it or detect that it's broken so we can skip the test. thanks -- PMM
