2021-11-11 11:11:03 |
Christian Ehrhardt |
bug |
|
|
added bug |
2021-11-11 11:11:11 |
Christian Ehrhardt |
tags |
|
server-todo |
|
2021-11-11 11:11:17 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
2022-01-07 11:34:16 |
Utkarsh Gupta |
libvirt (Ubuntu): status |
New |
Triaged |
|
2022-02-08 16:15:51 |
Lena Voytek |
libvirt (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2022-02-18 15:40:05 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu) |
|
2022-02-18 15:40:16 |
Lena Voytek |
swtpm (Ubuntu): status |
New |
In Progress |
|
2022-02-18 15:40:20 |
Lena Voytek |
libvirt (Ubuntu): status |
Triaged |
In Progress |
|
2022-02-18 15:40:24 |
Lena Voytek |
swtpm (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2022-02-18 15:40:40 |
Lena Voytek |
bug |
|
|
added subscriber Lena Voytek |
2022-02-18 23:03:06 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/415813 |
|
2022-02-23 16:34:18 |
Christian Ehrhardt |
tags |
server-todo |
server-next |
|
2022-02-23 19:42:30 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2022-03-02 09:35:49 |
Lena Voytek |
summary |
wrap swtpm in an apparmor profile |
[FFe] wrap swtpm in an apparmor profile |
|
2022-03-02 09:46:04 |
Lena Voytek |
description |
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
Please accept the swtpm apparmor profile as a Jammy FFe.
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
|
2022-03-07 13:25:33 |
Christian Ehrhardt |
tags |
server-next |
server-todo |
|
2022-03-07 13:38:36 |
Christian Ehrhardt |
libvirt (Ubuntu): importance |
Undecided |
High |
|
2022-03-07 13:38:38 |
Christian Ehrhardt |
swtpm (Ubuntu): importance |
Undecided |
High |
|
2022-03-07 13:38:45 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
In Progress |
Invalid |
|
2022-03-07 13:38:47 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
Lena Voytek (lvoytek) |
|
|
2022-03-09 17:18:50 |
Lena Voytek |
description |
Please accept the swtpm apparmor profile as a Jammy FFe.
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
Please accept the swtpm apparmor profile as a Jammy FFe.
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
|
2022-03-09 17:27:13 |
Lena Voytek |
description |
Please accept the swtpm apparmor profile as a Jammy FFe.
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/swtpm-apparmor-profile-jammy
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
|
2022-03-09 22:32:19 |
Lena Voytek |
swtpm (Ubuntu): status |
In Progress |
New |
|
2022-03-09 22:32:39 |
Lena Voytek |
bug |
|
|
added subscriber Ubuntu Release Team |
2022-03-10 06:17:21 |
Christian Ehrhardt |
description |
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/swtpm-apparmor-profile-jammy
[Rationale]
We would like to MIR swtpm in the near future, and adding in the apparmor profile is needed for this to happen for security.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
If users encounter errors with this, it will be limited to the packages built with src:swtpm as the packages have no reverse dependencies in the archive.
swtpm is not seeded.
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/swtpm-apparmor-profile-jammy
[Rationale]
swtpm is being MIRed right now (bug 1948748) and while not (yet, still in security revieww) being called out explicitly - adding in the apparmor profile is a good addition in regard to security. Eventually this is another new guest<->host interface which generally are high ranked in attack profiles - so adding another layer (Steve already made the user swtpm runs with more safe) of security seems like an important thing.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
But before Jammy swtpm wasn't in the Archive at all and that isn't released yet - so it can't be felt like a regression. And the profile has the usual means of local includes to allow users to overcome this without too much hazzle.
swtpm is not seeded (but about to, see MIR bug above).
[Proposed upload]
Code: https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/415813
Build: https://launchpad.net/~lvoytek/+archive/ubuntu/swtpm-apparmor-profile-jammy
[Tests]
autopkgtest output:
============================================================================
Testsuite summary for swtpm 0.6.1
============================================================================
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[3]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[2]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src/tests'
make[1]: Entering directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
make[1]: Leaving directory '/tmp/autopkgtest.cLbuOZ/build.Gmd/src'
autopkgtest [10:14:10]: test run-tests: -----------------------]
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@@@@@@@@@@@@@@ summary
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there. |
|
2022-03-14 18:48:59 |
Steve Langasek |
swtpm (Ubuntu): status |
New |
Confirmed |
|
2022-03-17 15:50:52 |
Christian Ehrhardt |
swtpm (Ubuntu): status |
Confirmed |
Fix Committed |
|
2022-03-22 15:44:16 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/417342 |
|
2022-03-23 16:35:53 |
Launchpad Janitor |
swtpm (Ubuntu): status |
Fix Committed |
Fix Released |
|
2022-03-23 16:35:53 |
Launchpad Janitor |
cve linked |
|
2022-23645 |
|