swtpm fails in focal with apparmor

Please cherrypick https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=d660dd95ea91839156eb078710e9d85a2f306ab5

or i guess it will be just part of the next new upstream release.

Hi,
thanks for the report - I was seeing it in IRC already and was curious.

This existing commit is in v5.8.0 and I'm currently working on v6.0 already (will still be some work).

I'll flag this bug in the changelog so you get an update once this gets completed in Focal.

This bug was fixed in the package libvirt - 6.0.0-0ubuntu1

---------------
libvirt (6.0.0-0ubuntu1) focal; urgency=medium

  * Merged with Debian 5.6.0-4 from experimental and v6.0.0 from upstream
    Among many other new features and fixes this includes fixes for:
    - LP: #1859253 - rbd driver fails to create a new volume
    - LP: #1858341 - rbd driver does not list all volumes in pool
    - LP: #1845506 - Libvirt snapshot doesn't update apparmor profile
    - LP: #1854653 - slow libvirt-guests.sh during shutdown if service is off
    - LP: #1848229 - enable ppc64el to use ccf-assist feature
    - LP: #1853315 - Enable CPU Model Comparison and Baselining on s390x
    - LP: #1853317 - CCW IPL support to boot from ECKD DASDs
    - LP: #1859506 - security: AppArmor profile fixes for swtpm
    Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Autostart default bridged network (As upstream does, but not Debian).
      In addition to just enabling it our solution provides:
      + do not autostart if subnet is already taken (e.g. in guests).
      + iterate some alternative subnets before giving up
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
      + d/libvirt-daemon-system.postinst: add users in sudo to the libvirt
        group.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - Update Vcs-Git and Vcs-Browser fields to point to launchpad
    - Update README.Debian with Ubuntu changes
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + systemtap on ppc64el.
    - d/p/ubuntu/ubuntu_machine_type.patch: accept ubuntu types as pci440fx
    - Further upstreamed apparmor Delta, especially any new one
      Our former delta is split into logical pieces and is either Ubuntu only
      or is part of a continuous upstreaming effort.
      Listing related remaining changes in debian/patches/ubuntu-aa/:
    - fix autopkgtests
      + d/t/control, d/t/smoke-qemu-session: fixup smoke-qemu-session by making
        vmlinuz available and accessible (Debian bug 848314)
      + d/t/control: fix smoke-qemu-session by ensuring the service will run
        installing libvirt-daemon-system
      + d/t/smoke-lxc: fix smoke-lxc by ignoring potential issues on destroy as
        long as the following undefine succeeds
      + d/t/smoke-lxc: use systemd instead of sysV to restart the service
    - dnsmasq related enhancements
      + run dnsmasq as libvirt-dnsmasq (LP: 1743718)
      + d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
      + d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group
        on purge
      + d/p/ubuntu/dnsmasq-as-priv-user: write dnsmasq config with user
        libvirt-dnsmasq and adapt t...

Hi @Scott, nice to see you again o/
I saw you updated the title and didn't even fix our old typo :-/

But really, what was the update about - I can't see any real content update, so if there is anything please let me know!