We can add those - if we agree - as Ubuntu Delta kind of "right now" to fix it
before release.
But the swtpm changes then shall be part of the upstreaming effort to Stefan
that we planned anyway.
And the libvirt changes should go upstream there for the benefit of others as
well.
Summary of changes needed across libvirt and swtpm packages/profiles:
ubuntu@swtpm-jammy:~$ for f in /etc/apparmor.d/abstractions/libvirt-qemu
/etc/apparmor.d/usr.bin.swtpm /etc/apparmor.d/usr.sbin.libvirtd; do echo
$f; diff -Naur $f.orig $f; done
/etc/apparmor.d/abstractions/libvirt-qemu
--- /etc/apparmor.d/abstractions/libvirt-qemu.orig 2022-04-12
11:51:00.834171997 +0000
+++ /etc/apparmor.d/abstractions/libvirt-qemu 2022-04-12 12:04:10.105197715
+0000
@@ -184,7 +184,7 @@
audit deny /{var/,}run/qemu/*/*.so w,
# swtpm
- /{usr/,}bin/swtpm rmix,
+ /{usr/,}bin/swtpm rmpix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
/usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
@@ -230,6 +230,7 @@
unix (send, receive) type=stream addr=none peer=(label=libvirtd),
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
unix (send, receive) type=stream addr=none peer=(label=virtqemud),
+ unix (send, receive) type=stream addr=none peer=(label=swtpm),
# allow access to charm-specific ceph config (LP: #1403648).
# No more silencing spurious denials as it can more critically hide other
issues (LP: #1719579)
/etc/apparmor.d/usr.bin.swtpm
--- /etc/apparmor.d/usr.bin.swtpm.orig 2022-04-12 11:50:33.586205088 +0000
+++ /etc/apparmor.d/usr.bin.swtpm 2022-04-12 12:04:58.569137867 +0000
@@ -16,10 +16,15 @@
network inet stream,
network inet6 stream,
+
unix (send) type=dgram addr=none peer=(addr=none),
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
owner /tmp/** rwk,
- owner /usr/bin/swtpm r,
+ /usr/bin/swtpm rm,
owner /var/lib/libvirt/swtpm/** rwk,
+ /run/libvirt/qemu/swtpm/*.sock rwk,
+ owner /var/log/swtpm/libvirt/qemu/*.log rwk,
+ owner /run/libvirt/qemu/swtpm/*.pid rwk,
owner /dev/vtpmx rw,
}
/etc/apparmor.d/usr.sbin.libvirtd
--- /etc/apparmor.d/usr.sbin.libvirtd.orig 2022-04-12 11:58:44.725602007
+0000
+++ /etc/apparmor.d/usr.sbin.libvirtd 2022-04-12 11:59:23.193554346 +0000
@@ -58,6 +58,7 @@
ptrace (read,trace) peer=dnsmasq,
ptrace (read,trace) peer=/usr/sbin/dnsmasq,
ptrace (read,trace) peer=libvirt-*,
+ ptrace (read,trace) peer=swtpm,
signal (send) peer=dnsmasq,
signal (send) peer=/usr/sbin/dnsmasq,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968187
Title:
apparmor denial when using swtpm
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1968187/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
