Update apparmor profile to match upstream

This bug was fixed in the package swtpm - 0.6.3-0ubuntu4

---------------
swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium

  * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
    In between adding the apparmor profile to Ubuntu and merging upstream
    additional rules were used to cover more common use cases. (LP: #1992377)
    - The six capability lines fix the broken upstream unit test cases:
      test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
      test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
    - owner @{HOME}/** rwk was added as using a folder in one's home directory
      is common for managing tpm states
    - Access in the tmp directory is further generalized as this is where swtpm
      interacts with qemu and libvirt
    - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
      work

 -- Lena Voytek <email address hidden> Tue, 11 Oct 2022 10:54:21 -0700

Going over this bug again, there are some different requirements for it to be fixed compared to LP: #1989100. As such I'm removing duplicate status for now

Kinetic was updated but not Jammy. What happened?

Jammy got stuck in the upload process. We reuploaded on Tuesday so the changes should land soon

Hello Lena, or anyone else affected,

Accepted swtpm into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.6.3-0ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified the fix on Jammy with the above Windows 11 test case and by checking the profile manually:

# lxc launch ubuntu:22.04 test-swtpm
# lxc exec test-swtpm bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install swtpm -y

# cat /etc/apparmor.d/usr.bin.swtpm
# vim:syntax=apparmor
# AppArmor policy for swtpm
# Author: Lena Voytek <email address hidden>
# Last Modified: Tue Oct 11 10:53:05 2022

#include <tunables/global>

profile swtpm /usr/bin/swtpm {
  #include <abstractions/base>
  #include <abstractions/openssl>

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.swtpm>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability setgid,
  capability setuid,

  network inet stream,
  network inet6 stream,
  unix (send) type=dgram addr=none peer=(addr=none),
  unix (send, receive) type=stream addr=none peer=(label=libvirt-*),

  /usr/bin/swtpm rm,

  /tmp/** rwk,
  owner @{HOME}/** rwk,
  owner /var/lib/libvirt/swtpm/** rwk,
  /run/libvirt/qemu/swtpm/*.sock rwk,
  owner /var/log/swtpm/libvirt/qemu/*.log rwk,
  owner /run/libvirt/qemu/swtpm/*.pid rwk,
  owner /dev/vtpmx rw,
  owner /etc/nsswitch.conf r,
  owner /var/lib/swtpm/** rwk,
  owner /run/swtpm/sock rw,
}

I tested the proposed package and the test case I described here (https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/2016744) still does not work:

$ /usr/share/swtpm/swtpm-create-user-config-files --overwrite
Environment variable XDG_CONFIG_HOME is not set. Using ${HOME}/.config.
Writing /home/stefanb/.config/swtpm_setup.conf.
Writing /home/stefanb/.config/swtpm-localca.conf.
Writing /home/stefanb/.config/swtpm-localca.options.

$ swtpm_setup --tpm2 --tpmstate . --overwrite --create-ek-cert
Starting vTPM manufacturing as stefanb:stefanb @ Sun 23 Apr 2023 12:07:17 PM EDT
TPM is listening on Unix socket.
Successfully created RSA 2048 EK with handle 0x81010001.
Could not find @DATAROOTDIR@/swtpm/swtpm-localca in PATH. <<<<<<<<<<
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Sun 23 Apr 2023 12:07:17 PM EDT

$ grep DATAROOT /usr/share/swtpm/swtpm-create-user-config-files
create_certs_tool = @DATAROOTDIR@/swtpm/swtpm-localca

The @DATAROOTDIR@ should have been replaced during 'configure'.

Stefan, thanks for testing, but that's a different bug, being handled in a different upload. Specifically, that upload is in the jammy unapproved queue[1] still, and it's not expected that this upload here will fix *that* bug.

1. https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=swtpm

Alright, then please ignore my comment

I plan to get to that other bug today, and more then welcome your testing there when it reaches proposed :)

I verified the test results and am satisfied that they show the executed planned test case, and that the results are correct.

The package built correctly in all architectures and Ubuntu releases it was meant for.

There are no DEP8 regressions.

There is no SRU freeze ongoing at the moment.

There is no halted phasing on the previous update.

This bug was fixed in the package swtpm - 0.6.3-0ubuntu3.1

---------------
swtpm (0.6.3-0ubuntu3.1) jammy; urgency=medium

  * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
    In between adding the apparmor profile to Ubuntu and merging upstream
    additional rules were used to cover more common use cases. (LP: #1992377)
    - The six capability lines fix the broken upstream unit test cases:
      test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
      test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
    - owner @{HOME}/** rwk was added as using a folder in one's home directory
      is common for managing tpm states
    - Access in the tmp directory is further generalized as this is where swtpm
      interacts with qemu and libvirt
    - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
      work

 -- Lena Voytek <email address hidden> Wed, 16 Nov 2022 13:54:54 -0700

The verification of the Stable Release Update for swtpm has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.