2022-09-08 09:53:47 |
Marius Vollmer |
bug |
|
|
added bug |
2022-09-08 09:54:02 |
Marius Vollmer |
description |
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can diog that out. |
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can dig that out. |
|
2022-09-09 17:51:29 |
Lena Voytek |
libvirt (Ubuntu): status |
New |
Incomplete |
|
2022-10-21 05:53:09 |
Billy Kwong |
bug |
|
|
added subscriber Billy Kwong |
2022-10-21 21:54:41 |
Brian Devendorf |
bug |
|
|
added subscriber Brian Devendorf |
2022-10-24 02:10:37 |
Heiko Rothkranz |
bug |
|
|
added subscriber Heiko Rothkranz |
2022-10-24 06:28:30 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Incomplete |
Confirmed |
|
2022-10-24 06:28:42 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
2022-10-24 06:28:48 |
Christian Ehrhardt |
tags |
|
server-todo |
|
2022-10-24 06:29:14 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2022-10-24 16:01:09 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu) |
|
2022-10-24 16:01:19 |
Lena Voytek |
swtpm (Ubuntu): status |
New |
In Progress |
|
2022-10-24 16:01:21 |
Lena Voytek |
swtpm (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2022-10-24 17:05:06 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2022-10-25 20:51:54 |
Lena Voytek |
description |
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can dig that out. |
[Impact]
When attempting to set up a vm with libvirt using swtpm in Kinetic, swtpm's apparmor profile will deny access to the pid file in /run/libvirt/qemu/swtpm/.
The fix for this issue should be backported to Kinetic because it blocks all users attempting to set up a libvirt TPM vm with an error.
This bug is fixed by removing the "owner" tag from the line "owner /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files to be used.
[Test Plan]
The fix can be tested using virt-manager Windows 11 iso in ~/Win11.iso:
# sudo apt update && sudo apt dist-upgrade -y
# sudo apt install virt-manager swtpm
> Open virt-manager
> Click New Virtual Machine button
Step 1:
> Select "Local install media (ISO image or CDROM)
> Click Forward
Step 2:
> Click Browse and find Windows 11 iso
> Select "Automatically detect from the installation media / source"
> Click Forward
Step 3:
> Use >= 4096 MiB for Memory
> Use >= 2 CPUs
> Click Forward
Step 4:
> Select "Enable storage for this virtual machine"
> Use >= 70 GiB for storage size
> Click Forward
Step 5:
> Select "Customize configuration before install"
> Click Finish
Config Screen:
> For Overview > Firmware select UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
> For Boot Options select "SATA CDROM 1" and move it to top
> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0
> Click "Begin Installation"
[Where problems could occur]
By removing the owner tag in line in the apparmor profile, any file with a .pid extension in /run/libvirt/qemu/swtpm/ will be manipulatable by swtpm. If swtpm were to act maliciously, it would have an overall greater reach in this folder.
[Original Description]
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can dig that out. |
|
2022-10-25 21:14:20 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/432149 |
|
2022-10-27 18:28:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Kinetic |
|
2022-10-27 18:28:49 |
Lena Voytek |
bug task added |
|
libvirt (Ubuntu Kinetic) |
|
2022-10-27 18:28:49 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Kinetic) |
|
2022-10-27 18:28:49 |
Lena Voytek |
nominated for series |
|
Ubuntu Lunar |
|
2022-10-27 18:28:49 |
Lena Voytek |
bug task added |
|
libvirt (Ubuntu Lunar) |
|
2022-10-27 18:28:49 |
Lena Voytek |
bug task added |
|
swtpm (Ubuntu Lunar) |
|
2022-10-27 18:29:06 |
Lena Voytek |
swtpm (Ubuntu Kinetic): status |
New |
In Progress |
|
2022-10-27 18:29:11 |
Lena Voytek |
swtpm (Ubuntu Kinetic): assignee |
|
Lena Voytek (lvoytek) |
|
2022-10-27 18:29:13 |
Lena Voytek |
libvirt (Ubuntu Kinetic): assignee |
|
Lena Voytek (lvoytek) |
|
2022-10-27 18:29:17 |
Lena Voytek |
libvirt (Ubuntu Kinetic): status |
New |
Confirmed |
|
2022-11-17 22:02:49 |
Lena Voytek |
bug watch added |
|
https://github.com/stefanberger/swtpm/issues/770 |
|
2022-11-17 22:02:49 |
Lena Voytek |
bug task added |
|
swtpm |
|
2022-11-23 14:47:59 |
Lena Voytek |
description |
[Impact]
When attempting to set up a vm with libvirt using swtpm in Kinetic, swtpm's apparmor profile will deny access to the pid file in /run/libvirt/qemu/swtpm/.
The fix for this issue should be backported to Kinetic because it blocks all users attempting to set up a libvirt TPM vm with an error.
This bug is fixed by removing the "owner" tag from the line "owner /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files to be used.
[Test Plan]
The fix can be tested using virt-manager Windows 11 iso in ~/Win11.iso:
# sudo apt update && sudo apt dist-upgrade -y
# sudo apt install virt-manager swtpm
> Open virt-manager
> Click New Virtual Machine button
Step 1:
> Select "Local install media (ISO image or CDROM)
> Click Forward
Step 2:
> Click Browse and find Windows 11 iso
> Select "Automatically detect from the installation media / source"
> Click Forward
Step 3:
> Use >= 4096 MiB for Memory
> Use >= 2 CPUs
> Click Forward
Step 4:
> Select "Enable storage for this virtual machine"
> Use >= 70 GiB for storage size
> Click Forward
Step 5:
> Select "Customize configuration before install"
> Click Finish
Config Screen:
> For Overview > Firmware select UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
> For Boot Options select "SATA CDROM 1" and move it to top
> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0
> Click "Begin Installation"
[Where problems could occur]
By removing the owner tag in line in the apparmor profile, any file with a .pid extension in /run/libvirt/qemu/swtpm/ will be manipulatable by swtpm. If swtpm were to act maliciously, it would have an overall greater reach in this folder.
[Original Description]
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can dig that out. |
[Impact]
When attempting to set up a vm with libvirt using swtpm in Kinetic, swtpm's apparmor profile will deny access to the pid file in /run/libvirt/qemu/swtpm/.
The fix for this issue should be backported to Kinetic because it blocks all users attempting to set up a libvirt TPM vm with an error.
This bug is fixed by removing the "owner" tag from the line "owner /run/libvirt/qemu/swtpm/*.pid rwk," allowing libvirt-created pid files to be used.
[Test Plan]
The fix can be tested using virt-manager and an os using TPM:
# sudo apt update && sudo apt dist-upgrade -y
# sudo apt install virt-manager swtpm
Create a vm in virt-manager and on the last page
> Select "Customize configuration before install"
> Click Finish
> Click Add Hardware
> Select TPM with Model "TIS" and version 2.0
> Click "Begin Installation"
[Where problems could occur]
By removing the owner tag in line in the apparmor profile, any file with a .pid extension in /run/libvirt/qemu/swtpm/ will be manipulatable by swtpm. If swtpm were to act maliciously, it would have an overall greater reach in this folder.
[Original Description]
libvirt 8.6.0-0ubuntu1
apparmor 3.0.7-1ubuntu1
One of our CI tests runs virt-install in a specific way that ultimately fails with this in the error message:
ERROR internal error: Could not get process id of swtpm
The journal has this message:
audit: type=1400 audit(1662628523.308:121): apparmor="DENIED" operation="file_inherit" profile="swtpm" name="/run/libvirt/qemu/swtpm/1-VmNotInstalled-swtpm.pid" pid=13944 comm="swtpm" requested_mask="w" denied_mask="w" fsuid=118 ouid=0
This is nested virtualization. If you need the exact invocation of virt-install, I can dig that out. |
|
2022-11-23 15:11:51 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/swtpm/+git/swtpm/+merge/433531 |
|
2022-11-27 10:34:25 |
Launchpad Janitor |
swtpm (Ubuntu Lunar): status |
In Progress |
Fix Released |
|
2022-12-01 17:59:20 |
Andreas Hasenack |
swtpm (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
2022-12-01 17:59:23 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-12-01 17:59:25 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
2022-12-01 17:59:30 |
Andreas Hasenack |
tags |
server-todo |
server-todo verification-needed verification-needed-kinetic |
|
2022-12-01 18:19:15 |
Lena Voytek |
tags |
server-todo verification-needed verification-needed-kinetic |
server-todo verification-done verification-done-kinetic |
|
2022-12-12 21:30:31 |
Billy Kwong |
removed subscriber Billy Kwong |
|
|
|
2023-01-10 20:13:28 |
Launchpad Janitor |
swtpm (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
2023-01-10 20:13:31 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-01-10 20:30:51 |
Lena Voytek |
libvirt (Ubuntu Kinetic): status |
Confirmed |
Won't Fix |
|
2023-01-10 20:30:54 |
Lena Voytek |
libvirt (Ubuntu Lunar): status |
Confirmed |
Won't Fix |
|
2023-01-10 20:31:35 |
Lena Voytek |
libvirt (Ubuntu): status |
Confirmed |
Won't Fix |
|