AppArmor DENIES swtpm pid file access

Hello,
Thanks for the bug report. I attempted to reproduce using Kinetic with libvirt 8.6.0-0ubuntu1
and apparmor 3.0.7-1ubuntu1 but was unable to. This is probably due to my integration of swtpm into the vm. If you can find the exact parameters used for virt-install that would be great. Then I can try and reproduce the issue with more accuracy.

This is how our tests run virt-install:

# virt-install --connect qemu:///system --quiet --name VmNotInstalled --os-variant fedora28 --memory memory=130,maxmemory=150 --check path_in_use=off --wait -1 --noautoconsole --disk path=/var/lib/libvirt/images/VmNotInstalled.qcow2,device=disk,boot_order=2,bus=virtio,readonly=off,shareable=off,discard=unmap,driver_name=qemu,driver_type=qcow2 --network network=default,mac=52:54:00:74:37:e6,model=virtio,boot_order=1,link_state=up --network bridge=virbr0,mac=52:54:00:f1:23:41,model=rtl8139,link_state=up --graphics type=vnc,listen=127.0.0.1,port=-1 --graphics type=spice,listen=127.0.0.1 --cdrom /var/lib/libvirt/novell.iso --autostart --vcpus vcpus=2,maxvcpus=8,sockets=2,cores=2,threads=2 --boot uefi

The important bit seems to be "--boot uefi". If I leave that out, installation starts.

I just upgraded to Kinetic and got the same error when trying to run a Windows 11 VM:
Could not get process id of swtpm

In the logs it gives:
audit: type=1400 audit(1666337344.313:117): apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/libvirt/qemu/swtpm/3-Windows11-swtpm.pid" pid=76679 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=131 ouid=0

I am using the swtpm and swtpmtools in the default repository (not a ppa).

(The VM worked perfectly before the upgrade)

I can confirm.

One PC was an upgrade from 22.04 to 22.10. Worked perfectly prior to the upgrade. The other was a newly built (for testing this issue) 22.10. Software was installed from the Ubuntu default PPAs. The error message was the same message as reported by Mark Wren.

First host is an HP Elitebook G2. Second is a Dell Precision 5570.

Disabling AppArmor and rebooting resolved the issue on both PCs. I was able to successfully start both guest Windows 11 VMs after this change.

I can also confirm the issue occurs after upgrading from 22.04 to 22.10. Using libvirt 8.6.0-ubuntu3 and apparmor 3.0.7-1ubuntu2.

Running
# aa-complain swtpm
# systemctl reload apparmor.service
works as a temporary workaround.

It looks like, do to a recent update in how libvirt handles /run/libvirt/qemu/swtpm/*.pid, swtpm blocks it. I created a PPA for 22.10 that updates the apparmor profile, located here: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-fix-apparmor-libvirt

If you would like to test it you can run the following:

$ sudo add-apt-repository ppa:lvoytek/swtpm-fix-apparmor-libvirt
$ sudo apt update
$ sudo apt upgrade

Alternatively you can add the following line to /etc/apparmor.d/local/usr.bin.swtpm:

/run/libvirt/qemu/swtpm/*.pid rwk,

Let me know if this fixes it.
Thanks!

I applied the manual change to usr.bin.swtpm, enabled apparmor, started apparmor, and rebooted just to confirm. This solves the issue for me. Thanks!

Thanks Lena! I added your repo, and upgraded, and it fixed it. Awesome that the community fixes things - like 4 hours before I look for it!

Thank you for your work!

That's great to hear! I'll get started on merging the change into 22.10

Our test passes with the new version of swtmp from your PPA. Thanks!

This bug was fixed in the package swtpm - 0.6.3-0ubuntu5

---------------
swtpm (0.6.3-0ubuntu5) lunar; urgency=medium

  * d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
    files that it does not own (LP: #1989100)

 -- Lena Voytek <email address hidden> Mon, 24 Oct 2022 10:52:06 -0700

Hello Marius, or anyone else affected,

Accepted swtpm into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.6.3-0ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified with the following steps:

$ sudo su
# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
# exit

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install virt-manager swtpm

Created a Windows 11 vm in virt-manager and on the last page added TPM 2.0

Clicked "Begin Installation"

VM started successfully

All autopkgtests for the newly accepted swtpm (0.6.3-0ubuntu4.1) for kinetic have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/251.4-1ubuntu7 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/kinetic/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

That autopkgtest failed due to an unrelated issue:

  File "/usr/bin/autopkgtest-virt-lxd", line 223, in hook_wait_reboot
    if current_uptime < initial_uptime:
TypeError: '<' not supported between instances of 'float' and 'NoneType'

The history on https://autopkgtest.ubuntu.com/packages/s/systemd/kinetic/arm64 does not look very good, so I'd recommend to ignore that particular failure for this SRU.

A migration-reference/0 run confirmed the flakiness and this failure is no longer a blocker for the SRU.

This bug was fixed in the package swtpm - 0.6.3-0ubuntu4.1

---------------
swtpm (0.6.3-0ubuntu4.1) kinetic; urgency=medium

  * d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
    files that it does not own (LP: #1989100)

 -- Lena Voytek <email address hidden> Wed, 23 Nov 2022 07:55:43 -0700

The verification of the Stable Release Update for swtpm has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Since the issue was fixed via swtpm, there's no need to update libvirt, marking as wont fix for now