swtmp fails in focal with apparor

Bug #1859506 reported by Dimitri John Ledkov on 2020-01-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Undecided
Christian Ehrhardt 
qemu (Ubuntu)
Undecided
Unassigned

Bug Description

Jan 13 17:49:22 ottawa audit[142634]: AVC apparmor="ALLOWED" operation="open" profile="libvirt-047133ac-847c-46b6-a6b0-b80bbadf17b0" name="/var/log/swtpm/libvirt/qemu/core20-swtpm.log" pid=142634 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=130 ouid=130
Jan 13 17:49:22 ottawa kernel: audit: type=1400 audit(1578937762.252:1829): apparmor="ALLOWED" operation="open" profile="libvirt-047133ac-847c-46b6-a6b0-b80bbadf17b0" name="/var/log/swtpm/libvirt/qemu/core20-swtpm.log" pid=142634 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=130 ouid=130
Jan 13 17:49:22 ottawa audit[142635]: AVC apparmor="ALLOWED" operation="file_lock" profile="libvirt-047133ac-847c-46b6-a6b0-b80bbadf17b0" name="/var/lib/libvirt/swtpm/047133ac-847c-46b6-a6b0-b80bbadf17b0/tpm2/.lock" pid=142635 comm="swtpm" requested_mask="k" denied_mask="k" fsuid=130 ouid=130
Jan 13 17:49:22 ottawa kernel: audit: type=1400 audit(1578937762.508:1831): apparmor="ALLOWED" operation="file_lock" profile="libvirt-047133ac-847c-46b6-a6b0-b80bbadf17b0" name="/var/lib/libvirt/swtpm/047133ac-847c-46b6-a6b0-b80bbadf17b0/tpm2/.lock" pid=142635 comm="swtpm" requested_mask="k" denied_mask="k" fsuid=130 ouid=130

I've tried swtpm in my VM and it failed with apparor errors. I've set the profile to complain, and the above got "allowed" to make the VM run.

I guess the libvirt tpm specific apparor rules are incomplete or need adjustment for newer swtpm.

I got swtpm from github.

Changed in qemu (Ubuntu):
status: New → Invalid
Dimitri John Ledkov (xnox) wrote :

Please cherrypick https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=d660dd95ea91839156eb078710e9d85a2f306ab5

or i guess it will be just part of the next new upstream release.

Hi,
thanks for the report - I was seeing it in IRC already and was curious.

This existing commit is in v5.8.0 and I'm currently working on v6.0 already (will still be some work).

I'll flag this bug in the changelog so you get an update once this gets completed in Focal.

Changed in libvirt (Ubuntu):
status: New → In Progress
assignee: nobody → Christian Ehrhardt  (paelzer)
tags: added: libvirt-20.04
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers