Ubuntu
swtpm package

apparmor profile needs extension

Bug #1968335 reported by Andre Wagner
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
swtpm (Ubuntu)
Fix Released
Undecided
Lena Voytek

Bug Description

Hi team,
I've tried to create a socket activated systemd service for supplying a software tpm for qemu. As it didn't worked I recognized that the swtpm package ships an apparmor profile. To make it work i've to add a read/write/lock permission for the tpm's nvram folder and a read/write permission for the tpm's unix socket used for the connection with qemu.

Since there is no default location for the tpm nvram (correct?) I suggest using "/var/lib/swtpm" which follows the /var/lib/<package> convention.

Since there is no default location for the tpm unix socket I suggest using "/run/swtpm/sock" which follows the systemd.socket unit conventions

A patch which adds the settings is attached to this message.

Greetings,
André

Tags: patch

Related branches

~lvoytek/ubuntu/+source/swtpm:swtpm-add-libvirt-apparmor-rules
Christian Ehrhardt  (community): Approve
Canonical Server Core Reviewers: Pending requested
Canonical Server: Pending requested
Diff: 38 lines (+16/-1)
2 files modified
debian/changelog (+8/-0)
debian/usr.bin.swtpm (+8/-1)
Revision history for this message
Andre Wagner (wagnerandre85) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "add_socket_and_nvram.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the report and patch, I will get this added

Changed in swtpm (Ubuntu):
assignee: nobody → Lena Voytek (lvoytek)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package swtpm - 0.6.3-0ubuntu3

---------------
swtpm (0.6.3-0ubuntu3) jammy; urgency=medium

  * d/usr.bin.swtpm: Add additional apparmor rules
    - allow full interaction with libvirt (LP: #1968187)
    - add qemu socket rules (LP: #1968335)

 -- Lena Voytek <email address hidden> Tue, 12 Apr 2022 07:49:45 -0700

Changed in swtpm (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Andre Wagner (wagnerandre85) wrote :

I've also retested your fix. It works like a charm. Thank you very much.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.