Ubuntu
swtpm package

Add sys_admin capability to apparmor profile by default

Bug #2071478 reported by Lena Voytek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Status tracked in Oracular
Jammy
In Progress
Undecided
Lena Voytek
Mantic
In Progress
Undecided
Lena Voytek
Noble
In Progress
Undecided
Lena Voytek
Oracular
Fix Released
Undecided
Lena Voytek

Bug Description

Based on the upstream discussion here - https://github.com/stefanberger/swtpm/discussions/866 - certain features of swtpm require access to kernel modules to work. For example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This should work by default, and is fixed by adding capability sys_admin to the apparmor profile.

See original description

Related branches

~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Lena Voytek (lvoytek)
no longer affects: swtpm (Ubuntu Focal)
Changed in swtpm (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Mantic):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Oracular):
assignee: nobody → Lena Voytek (lvoytek)
status: New → In Progress
Lena Voytek (lvoytek)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.7.3-0ubuntu7

---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 09 Jul 2024 06:06:00 -0700

Changed in swtpm (Ubuntu Oracular):
status: In Progress → Fix Released
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
status: New → In Progress
Changed in swtpm (Ubuntu Mantic):
status: New → In Progress
Changed in swtpm (Ubuntu Jammy):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.