Verified the fix on Jammy with the above Windows 11 test case and by checking the profile manually:
# lxc launch ubuntu:22.04 test-swtpm # lxc exec test-swtpm bash
# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe EOF
# apt update && apt dist-upgrade -y # apt install swtpm -y
# cat /etc/apparmor.d/usr.bin.swtpm # vim:syntax=apparmor # AppArmor policy for swtpm # Author: Lena Voytek <email address hidden> # Last Modified: Tue Oct 11 10:53:05 2022
#include <tunables/global>
profile swtpm /usr/bin/swtpm { #include <abstractions/base> #include <abstractions/openssl>
# Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.swtpm>
capability chown, capability dac_override, capability dac_read_search, capability fowner, capability fsetid, capability setgid, capability setuid,
network inet stream, network inet6 stream, unix (send) type=dgram addr=none peer=(addr=none), unix (send, receive) type=stream addr=none peer=(label=libvirt-*),
/usr/bin/swtpm rm,
/tmp/** rwk, owner @{HOME}/** rwk, owner /var/lib/libvirt/swtpm/** rwk, /run/libvirt/qemu/swtpm/*.sock rwk, owner /var/log/swtpm/libvirt/qemu/*.log rwk, owner /run/libvirt/qemu/swtpm/*.pid rwk, owner /dev/vtpmx rw, owner /etc/nsswitch.conf r, owner /var/lib/swtpm/** rwk, owner /run/swtpm/sock rw, }
Verified the fix on Jammy with the above Windows 11 test case and by checking the profile manually:
# lxc launch ubuntu:22.04 test-swtpm
# lxc exec test-swtpm bash
# cat <<EOF >/etc/apt/ sources. list.d/ ubuntu- $(lsb_release -cs)-proposed.list archive. ubuntu. com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
# Enable Ubuntu proposed archive
deb http://
EOF
# apt update && apt dist-upgrade -y
# apt install swtpm -y
# cat /etc/apparmor. d/usr.bin. swtpm
# vim:syntax=apparmor
# AppArmor policy for swtpm
# Author: Lena Voytek <email address hidden>
# Last Modified: Tue Oct 11 10:53:05 2022
#include <tunables/global>
profile swtpm /usr/bin/swtpm { openssl>
#include <abstractions/base>
#include <abstractions/
# Site-specific additions and overrides. See local/README for details. usr.bin. swtpm>
#include <local/
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
network inet stream, libvirt- *),
network inet6 stream,
unix (send) type=dgram addr=none peer=(addr=none),
unix (send, receive) type=stream addr=none peer=(label=
/usr/bin/swtpm rm,
/tmp/** rwk, libvirt/ swtpm/* * rwk, libvirt/ qemu/swtpm/ *.sock rwk, swtpm/libvirt/ qemu/*. log rwk, qemu/swtpm/ *.pid rwk,
owner @{HOME}/** rwk,
owner /var/lib/
/run/
owner /var/log/
owner /run/libvirt/
owner /dev/vtpmx rw,
owner /etc/nsswitch.conf r,
owner /var/lib/swtpm/** rwk,
owner /run/swtpm/sock rw,
}