AppArmor denials when running swtpm as unprivileged user with session libvirtd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
swtpm (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I was trying to set up a libvirt VM with an emulated TPM under qemu:///session (i.e. a libvirtd instance running as myself).
I configured swtpm by running the following:
swtpm_setup --create-
And tried creating a VM with "virt-install --connect qemu:///session --name core-desktop --tpm emulator ...", which produced the following output:
Starting install...
ERROR operation failed: swtpm died and reported:
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///session start core-desktop
otherwise, please restart your installation.
Searching the journal for relevant messages showed:
Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation=
Apr 27 16:28:16 scruffy audit[3303311]: AVC apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/
Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(168258409
Apr 27 16:28:16 scruffy kernel: audit: type=1400 audit(168258409
Apr 27 16:28:16 scruffy libvirtd[3303247]: operation failed: swtpm died and reported:
It looks like the AppArmor policy in /etc/apparmor.
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: swtpm 0.7.3-0ubuntu1
ProcVersionSign
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Thu Apr 27 16:45:25 2023
InstallationDate: Installed on 2021-03-28 (759 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Alpha amd64 (20210327)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: swtpm
UpgradeStatus: Upgraded to lunar on 2023-03-19 (38 days ago)
I was able to get swtpm running by adding the following rules to the AppArmor profile:
owner /run/user/ [0-9]*/ libvirt/ qemu/run/ swtpm/* .sock rwk, [0-9]*/ libvirt/ qemu/run/ swtpm/* .pid rwk,
owner /run/user/