Ubuntu
swtpm package

AppArmor denials when running swtpm as unprivileged user with session libvirtd

Bug #2017874 reported by James Henstridge on 2023-04-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	swtpm (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

I was trying to set up a libvirt VM with an emulated TPM under qemu:///session (i.e. a libvirtd instance running as myself).

I configured swtpm by running the following:

swtpm_setup --create-config-files skip-if-exist --tpm2

And tried creating a VM with "virt-install --connect qemu:///session --name core-desktop --tpm emulator ...", which produced the following output:

    Starting install...
    ERROR operation failed: swtpm died and reported:
    Domain installation does not appear to have been successful.
    If it was, you can restart your domain by running:
      virsh --connect qemu:///session start core-desktop
    otherwise, please restart your installation.

Searching the journal for relevant messages showed:

    Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1355): apparmor="DENIED" operation="file_inherit" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.pid" pid=3303311 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(1682584096.368:1356): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/run/user/1000/libvirt/qemu/run/swtpm/1-core-desktop-swtpm.sock" pid=3303311 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
    Apr 27 16:28:16 scruffy libvirtd[3303247]: operation failed: swtpm died and reported:

It looks like the AppArmor policy in /etc/apparmor.d/usr.bin.swtpm is set up to allow a system wide swtpm to access its socket and pid files in /run/libvirt/qemu/swtpm, but not an unprivileged swtpm in $XDG_RUNTIME_DIR/libvirt/qemu/run/swtpm.

ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: swtpm 0.7.3-0ubuntu1
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Apr 27 16:45:25 2023
InstallationDate: Installed on 2021-03-28 (759 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Alpha amd64 (20210327)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: swtpm
UpgradeStatus: Upgraded to lunar on 2023-03-19 (38 days ago)

Tags: