Update apparmor profile to match upstream
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
swtpm |
Unknown
|
Unknown
|
|||
swtpm (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek | ||
Jammy |
Fix Released
|
Undecided
|
Lena Voytek | ||
Kinetic |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
In its current state, swtpm's apparmor profile has a few restrictions that block common use cases for the software. This includes:
- Use of vtpm proxy
- Using one's home folder to manage TPM states
- Some qemu and libvirt interactions in the tmp directory
Cleaning up these restrictions allows users to run swtpm in these common configurations without messing with local apparmor profiles.
To fix these cases, the swtpm apparmor profile has been updated to match upstream. During the process of bringing the Ubuntu version of the profile upstream, these issues were found and fixed accordingly. More info on these changes can be found here: https:/
[Test Plan]
The fix can be tested by running swtpm in these situations. The following can be used to test using the home folder to manage TPM states using a Windows 11 ISO:
$ sudo apt install swtpm qemu-kvm
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir ~/tpmstatedir
$ swtpm socket --tpm2 --ctrl type=unixio,
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,
[Where problems could occur]
This change only decreases apparmor restrictions, so users will not be blocked by any new rules. However, with less restrictions, swtpm is provided with more attack vectors if it were to be compromised. swtpm will no longer be blocked in accessing tmp files that are not its own, and will have additional abilities to manipulate file permissions. If swtpm acted maliciously, it could access and mess with temporary files belonging to other programs.
[Other Info]
This bug has been fixed in kinetic and beyond in version 0.6.3-0ubuntu4.
[Original Description]
When a user uses a tpm state directory for swtpm located somewhere in their home directory, apparmor will deny the creation of a lock file when a qemu vm boots, showing a message such as:
audit: type=1400 audit(166541213
This is due to a missing line in the apparmor profile that has been added upstream:
owner @{HOME}/** rwk,
To test (using a Windows 11 iso):
$ sudo apt install swtpm qemu-kvm
$ qemu-img create -f qcow2 win11.img 64G
$ mkdir ~/tpmstatedir
$ swtpm socket --tpm2 --ctrl type=unixio,
$ sudo qemu-system-x86_64 -hda win11.img -boot d -m 4096 -enable-kvm -chardev socket,
Related branches
- git-ubuntu bot: Approve
- Christian Ehrhardt (community): Approve
- Steve Langasek (community): Abstain
- Canonical Server Reporter: Pending requested
-
Diff: 68 lines (+27/-2)2 files modifieddebian/changelog (+17/-0)
debian/usr.bin.swtpm (+10/-2)
- git-ubuntu bot: Approve
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 68 lines (+27/-2)2 files modifieddebian/changelog (+17/-0)
debian/usr.bin.swtpm (+10/-2)
Changed in swtpm (Ubuntu Jammy): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu Kinetic): | |
assignee: | nobody → Lena Voytek (lvoytek) |
status: | New → In Progress |
tags: | added: server-todo |
Changed in swtpm (Ubuntu Jammy): | |
status: | New → Triaged |
tags: | added: cetest |
summary: |
- Apparmor denies writing to swtpm lock file in user's home directory + Update apparmor profile to match upstream |
description: | updated |
Changed in swtpm (Ubuntu Jammy): | |
status: | Triaged → In Progress |
This bug was fixed in the package swtpm - 0.6.3-0ubuntu4
---------------
swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium
* d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream ctrlchannel, test_vtpm_proxy, test_tpm2_ file_permission s, tpm2_save_ load_state_ 2_block, and test_tpm2_ ctrlchannel2
In between adding the apparmor profile to Ubuntu and merging upstream
additional rules were used to cover more common use cases. (LP: #1992377)
- The six capability lines fix the broken upstream unit test cases:
test_
test_
- owner @{HOME}/** rwk was added as using a folder in one's home directory
is common for managing tpm states
- Access in the tmp directory is further generalized as this is where swtpm
interacts with qemu and libvirt
- The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
work
-- Lena Voytek <email address hidden> Tue, 11 Oct 2022 10:54:21 -0700