Add sys_admin capability to apparmor profile by default
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
swtpm (Ubuntu) | Status tracked in Oracular | |||||
Jammy |
Fix Released
|
Undecided
|
Lena Voytek | |||
Mantic |
Won't Fix
|
Undecided
|
Lena Voytek | |||
Noble |
Fix Released
|
Undecided
|
Lena Voytek | |||
Oracular |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
The default apparmor profile for swtpm blocks access to kernel modules, which causes a failure when using the --vtpm-proxy argument, since it requires tpm_vtpm_proxy.
The fix for this should be backported so the vtpm-proxy works for users by default.
The issue is fixed by adding the sys_admin capability, which gives swtpm access to the required kernel modules
[Test Plan]
$ sudo apt update && sudo apt dist-upgrade -y
$ sudo apt install swtpm apparmor -y
$ mkdir /tmp/myvtpm
# Before fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
swtpm: Ioctl to create vtpm proxy failed: Operation not permitted
# After fix
$ sudo modprobe tpm_vtpm_proxy
$ sudo swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322
New TPM device: /dev/tpm1 (major/minor = 253/1)
[Where problems could occur]
This change will allow swtpm to access various kernel modules by default. So if malicious code were to exist within swtpm, then it would have far greater access when running with super user permissions.
Likewise, with a change to the apparmor profile, a conflict will occur on update for users that modified their profile directly.
[Other Info]
The issue was fixed in oracular in 0.7.3-0ubuntu7.
[Original Description]
Based on the upstream discussion here - https:/
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 38 lines (+12/-0)2 files modifieddebian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 38 lines (+12/-0)2 files modifieddebian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 38 lines (+12/-0)2 files modifieddebian/changelog (+10/-0)
debian/usr.bin.swtpm (+2/-0)
no longer affects: | swtpm (Ubuntu Focal) |
Changed in swtpm (Ubuntu Jammy): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu Mantic): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu Noble): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu Oracular): | |
assignee: | nobody → Lena Voytek (lvoytek) |
status: | New → In Progress |
description: | updated |
Changed in swtpm (Ubuntu Noble): | |
status: | New → In Progress |
Changed in swtpm (Ubuntu Mantic): | |
status: | New → In Progress |
Changed in swtpm (Ubuntu Jammy): | |
status: | New → In Progress |
description: | updated |
This bug was fixed in the package swtpm - 0.7.3-0ubuntu7
---------------
swtpm (0.7.3-0ubuntu7) oracular; urgency=medium
* d/usr.bin.swtpm: libvirt/ swtpm/ to fix
- Add sys_admin capability to apparmor profile to allow access to kernel
modules such as tpm_vtpm_proxy (LP: #2071478)
- Allow non-owned lockfile write access in /var/lib/
apparmor denials when working with TPM2 locks (LP: #2072524)
-- Lena Voytek <email address hidden> Tue, 09 Jul 2024 06:06:00 -0700