apparmor denial when using swtpm
Bug #1968187 reported by
Christian Ehrhardt
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek | ||
swtpm (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
Guest using:
<devices>
<tpm model='tpm-tis'>
<backend type='emulator' version='2.0'/>
</tpm>
</devices>
Triggers:
apparmor="DENIED" operation="open" profile=
Find from the swtpm side, but we need to open up the guest as well.
OTOH it is not fatal, and you'd wonder why qemu needs it - will need to check and then allow or deny this.
Related branches
~lvoytek/ubuntu/+source/libvirt:libvirt-fix-swtpm-apparmor-rules
Merged
into
ubuntu/+source/libvirt:ubuntu/devel
at
revision 8d587bbb1382323a626311051c34a4725952080b
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 66 lines (+44/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch (+35/-0)
~lvoytek/ubuntu/+source/swtpm:swtpm-add-libvirt-apparmor-rules
- Christian Ehrhardt (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 38 lines (+16/-1)2 files modifieddebian/changelog (+8/-0)
debian/usr.bin.swtpm (+8/-1)
Changed in libvirt (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Lena Voytek (lvoytek) |
tags: | added: server-todo |
Changed in swtpm (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Lena Voytek (lvoytek) |
To post a comment you must log in.
From testing it seems this shows up due to swtpm_setup using the openssl config for key setup information. I managed to fix the issue by adding
#include <abstractions/ openssl>
to the TEMPLATE.qemu file in the apparmor directory. I tested with the ppa:
ppa:lvoytek/ libvirt- allow-openssl- qemu-jammy