Ubuntu
swtpm package

Add sys_admin capability to apparmor profile by default

  1. Jammy (22.04)
  2. Bug #2071478
Bug #2071478 reported by Lena Voytek
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Status tracked in Oracular
Jammy
Fix Released
Undecided
Lena Voytek
Mantic
Won't Fix
Undecided
Lena Voytek
Noble
Fix Released
Undecided
Lena Voytek
Oracular
Fix Released
Undecided
Lena Voytek

Bug Description

[Impact]

The default apparmor profile for swtpm blocks access to kernel modules, which causes a failure when using the --vtpm-proxy argument, since it requires tpm_vtpm_proxy.

The fix for this should be backported so the vtpm-proxy works for users by default.

The issue is fixed by adding the sys_admin capability, which gives swtpm access to the required kernel modules

[Test Plan]

$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm apparmor -y

$ mkdir /tmp/myvtpm

# Before fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
swtpm: Ioctl to create vtpm proxy failed: Operation not permitted

# After fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)

[Where problems could occur]

This change will allow swtpm to access various kernel modules by default. So if malicious code were to exist within swtpm, then it would have far greater access when running with super user permissions.

Likewise, with a change to the apparmor profile, a conflict will occur on update for users that modified their profile directly.

[Other Info]

The issue was fixed in oracular in 0.7.3-0ubuntu7.

[Original Description]

Based on the upstream discussion here - https://github.com/stefanberger/swtpm/discussions/866 - certain features of swtpm require access to kernel modules to work. For example, using --vtpm-proxy requires the tpm_vtpm_proxy module. This should work by default, and is fixed by adding capability sys_admin to the apparmor profile.

See original description

Related branches

~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-jammy
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
~lvoytek/ubuntu/+source/swtpm:aa-sysadmin-lockfile-noble
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
~lvoytek/ubuntu/+source/swtpm:add-sys-admin-oracular
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 38 lines (+12/-0)
2 files modified
debian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
Lena Voytek (lvoytek)
no longer affects: swtpm (Ubuntu Focal)
Changed in swtpm (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Mantic):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
assignee: nobody → Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Oracular):
assignee: nobody → Lena Voytek (lvoytek)
status: New → In Progress
Lena Voytek (lvoytek)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.7.3-0ubuntu7

---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 09 Jul 2024 06:06:00 -0700

Changed in swtpm (Ubuntu Oracular):
status: In Progress → Fix Released
Lena Voytek (lvoytek)
Changed in swtpm (Ubuntu Noble):
status: New → In Progress
Changed in swtpm (Ubuntu Mantic):
status: New → In Progress
Changed in swtpm (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Lena Voytek (lvoytek) wrote :

Removing mantic - EOL

Changed in swtpm (Ubuntu Mantic):
status: In Progress → Won't Fix
Lena Voytek (lvoytek)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Lena, or anyone else affected,

Accepted swtpm into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.6.3-0ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in swtpm (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in swtpm (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed-noble
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Lena, or anyone else affected,

Accepted swtpm into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/swtpm/0.7.3-0ubuntu5.24.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (swtpm/0.6.3-0ubuntu3.3)

All autopkgtests for the newly accepted swtpm (0.6.3-0ubuntu3.3) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

swtpm/0.6.3-0ubuntu3.3 (armhf)
swtpm/unknown (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Lena Voytek (lvoytek) wrote :

Tested on a local jammy and noble system:

$ sudo cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
$ sudo apt update
$ sudo apt upgrade -y
$ sudo apt install swtpm apparmor -y

$ mkdir /tmp/myvtpm
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)

tags: added: verification-done verification-done-jammy verification-done-noble
removed: verification-needed verification-needed-jammy verification-needed-noble
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (swtpm/0.7.3-0ubuntu5.24.04.1)

All autopkgtests for the newly accepted swtpm (0.7.3-0ubuntu5.24.04.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

swtpm/unknown (s390x)
tpm2-pytss/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#swtpm

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.7.3-0ubuntu5.24.04.1

---------------
swtpm (0.7.3-0ubuntu5.24.04.1) noble; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 30 Jul 2024 15:16:43 -0700

Changed in swtpm (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for swtpm has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for the verification Lena, could you please confirm if the test plan execution from comment #6 was executed with the swtpm version from proposed? I can see that the proposed pocket was added, but given the default pinning it has nowadays (which makes it lower prio than updates or release), I can't tell if the actual package from proposed was installed. I suspect it was, because the test worked, and wasn't working before, but a quick confirmation would be ideal.

Revision history for this message
Lena Voytek (lvoytek) wrote :

Re-ran tests to confirm. I made sure 0.7.3-0ubuntu5.24.04.1 was used in noble, and 0.6.3-0ubuntu3.3 in jammy. Both tests are still successful. Thanks!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I got confirmation from Lena that the correct versions from proposed were used.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.6.3-0ubuntu3.3

---------------
swtpm (0.6.3-0ubuntu3.3) jammy; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <email address hidden> Tue, 30 Jul 2024 15:22:09 -0700

Changed in swtpm (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.