** Description changed: + [Impact] + + The default apparmor profile for swtpm blocks access to kernel modules, + which causes a failure when using the --vtpm-proxy argument, since it + requires tpm_vtpm_proxy. + + The fix for this should be backported so the vtpm-proxy works for users + by default. + + The issue is fixed by adding the sys_admin capability, which gives swtpm + access to the required kernel modules + + [Test Plan] + + $ sudo apt update && sudo apt dist-upgrade -y + $ sudo apt install swtpm apparmor -y + + $ mkdir /tmp/myvtpm + + # Before fix + $ sudo modprobe tpm_vtpm_proxy + $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 + swtpm: Ioctl to create vtpm proxy failed: Operation not permitted + + # After fix + $ sudo modprobe tpm_vtpm_proxy + $ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 + New TPM device: /dev/tpm1 (major/minor = 253/1) + + [Where problems could occur] + + This change will allow swtpm to access various kernel modules by + default. So if malicious code were to exist within swtpm, then it would + have far greater access when running with super user permissions. + + Likewise, with a change to the apparmor profile, a conflict will occur + on update for users that modified their profile directly. + + [Other Info] + + The issue was fixed in oracular in 0.7.3-0ubuntu7. + + [Original Description] + Based on the upstream discussion here - https://github.com/stefanberger/swtpm/discussions/866 - certain features of swtpm require access to kernel modules to work. For example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This should work by default, and is fixed by adding capability sys_admin to the apparmor profile.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2071478 Title: Add sys_admin capability to apparmor profile by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2071478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
