Ubuntu
swtpm package

Allow non-owned lockfile writes in /var/lib/libvirt/swtpm/

Bug #2072524 reported by Lena Voytek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Status tracked in Oracular
Jammy
In Progress
Undecided
Lena Voytek
Mantic
In Progress
Undecided
Lena Voytek
Noble
In Progress
Undecided
Lena Voytek
Oracular
Fix Released
Undecided
Lena Voytek

Bug Description

Based on the upstream comment here - https://github.com/stefanberger/swtpm/issues/852#issuecomment-2156039973 - users are having issues with apparmor denials when attempting to use TPM2 NVRAM state lockfiles. This is due to the file not being owned by the swtpm user. The issue is fixed by allowing write access to non-owned lock files in /var/lib/libvirt/swtpm/. This was fixed upstream in my pr here - https://github.com/stefanberger/swtpm/pull/868

Related branches

~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Mantic):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Oracular):
assignee: nobody → Lena Voytek (lvoytek)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.7.3-0ubuntu7

---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 09 Jul 2024 06:06:00 -0700

Changed in swtpm (Ubuntu Oracular):
status: In Progress → Fix Released
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Jammy):
status: New → In Progress
Changed in swtpm (Ubuntu Mantic):
status: New → In Progress
Changed in swtpm (Ubuntu Noble):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.