[FFe] wrap swtpm in an apparmor profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
swtpm (Ubuntu) |
Fix Released
|
High
|
Lena Voytek |
Bug Description
Dear Release Team,
Please accept the swtpm apparmor profile as a Jammy FFe.
PPA: ppa:lvoytek/
[Rationale]
swtpm is being MIRed right now (bug 1948748) and while not (yet, still in security revieww) being called out explicitly - adding in the apparmor profile is a good addition in regard to security. Eventually this is another new guest<->host interface which generally are high ranked in attack profiles - so adding another layer (Steve already made the user swtpm runs with more safe) of security seems like an important thing.
[Regression Potential]
If the apparmor profile is missing certain exceptions then some users may encounter permission denied errors with their setup.
But before Jammy swtpm wasn't in the Archive at all and that isn't released yet - so it can't be felt like a regression. And the profile has the usual means of local includes to allow users to overcome this without too much hazzle.
swtpm is not seeded (but about to, see MIR bug above).
[Proposed upload]
Code: https:/
Build: https:/
[Tests]
autopkgtest output:
=======
Testsuite summary for swtpm 0.6.1
=======
# TOTAL: 58
# PASS: 50
# SKIP: 8
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
=======
make[3]: Leaving directory '/tmp/autopkgte
make[2]: Leaving directory '/tmp/autopkgte
make[1]: Leaving directory '/tmp/autopkgte
make[1]: Entering directory '/tmp/autopkgte
make[1]: Leaving directory '/tmp/autopkgte
autopkgtest [10:14:10]: test run-tests: -------
autopkgtest [10:14:11]: test run-tests: - - - - - - - - - - results - - - - - - - - - -
run-tests PASS
autopkgtest [10:14:11]: @@@@@@@
run-tests PASS
qemu-system-x86_64: terminating on signal 15 from pid 58469 (/usr/bin/python3)
[Original Description]
This is a spin off from MIR bug 1948748 for swtpm.
As we can see in bug 1859506 it currently seems to run in guest-context which is good as that is already rather reduced and safer than e.g. the libvirt daemon.
But still we should evaluate adding a further reduced profile just for swtpm and have it transition there.
Related branches
- Christian Ehrhardt (community): Approve
- Serge Hallyn (community): Approve
- Canonical Server: Pending requested
-
Diff: 85 lines (+41/-0)5 files modifieddebian/changelog (+10/-0)
debian/control (+1/-0)
debian/rules (+5/-0)
debian/swtpm.install (+1/-0)
debian/usr.bin.swtpm (+24/-0)
CVE References
tags: | added: server-todo |
Changed in libvirt (Ubuntu): | |
status: | New → Triaged |
Changed in libvirt (Ubuntu): | |
assignee: | nobody → Lena Voytek (lvoytek) |
Changed in swtpm (Ubuntu): | |
status: | New → In Progress |
Changed in libvirt (Ubuntu): | |
status: | Triaged → In Progress |
Changed in swtpm (Ubuntu): | |
assignee: | nobody → Lena Voytek (lvoytek) |
tags: |
added: server-next removed: server-todo |
summary: |
- wrap swtpm in an apparmor profile + [FFe] wrap swtpm in an apparmor profile |
description: | updated |
tags: |
added: server-todo removed: server-next |
description: | updated |
description: | updated |
Changed in swtpm (Ubuntu): | |
status: | In Progress → New |
description: | updated |
Hi Christian,
I know this is known and you're aware of this but I am marking this as "Triaged" so it doesn't come across as a "New" bug which has no actions from the triager. :)