The build for RISC-V causes timeouts when running tests in parallel due
to the CPU being emulated. Avoid the timeouts by not running parallel
tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
QEMU's functional tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.
type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
operation="mknod" class="file" profile="swtpm" \
name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
OUID="stefanb"
[ To run the QEMU's functional tests use the following command:
make check-functional ]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow a user to pass profiles from the distro or local dirs directly
to swtpm. A rule to allow reading profiles from somewhere under the
HOME directory already exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm sometimes needs to create lock files in subdirectories of
/var/lib/libvirt/swtpm/. Since libvirt sets the owner of these
subdirectories to root, apparmor blocks swtpm's access to this when set to
owner. Add write permissions for lock files without the owner restriction
tothe folder to fix wc denials.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
Some features of swtpm require kernel modules, such as --vtpm-proxy. Fix
apparmor denials related to this by adding capability sys_admin to the apparmor
profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
When running a VM connected to qemu:///session, swtpm needs access to its own
process id and socket files in /run/user/<UID>/libvirt/qemu/run/swtpm/. Add
permissions to access them in the apparmor profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
swtpm_cuse.8 is not generated anymore but its a static file now
that must not be removed anymore via the debian/clean file.
Resolves: https://github.com/stefanberger/swtpm/issues/751
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
According to the man page sections guideline, man8 should be used
for system administration commands. So this commit moves *.conf and
*.options files to man5.
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
[0]: https://salsa.debian.org/debian/tpm-udev/-/blob/master/debian/tpm-udev.postinst
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Currently `trousers` is listed as (hard) Dependency, but it does not
seems to be required for quite a few usecases, e.g., ours where we
mainly using swtpm for providing a tpm to VMs.
With trousers in Debian one gets an additional pain point: it comes
with rather dated and in some cirumstances failing by mistake init
script [0] that can throw errors when setting up during installation
and thus fail the whole installation of swtpm as Debian policy for
`Depends` hits:
> A package will not be configured unless all of the packages listed
> in its Depends field have been correctly configured
-- [1]
Declaring dependencies for things are not a hard requirement means
that a user will be required to install more dependencies than
actually needed.
Just documenting that as fact why I investigated in the
hard-requirement on trousers in the first place, not an actual
justification - it's a packaging bug after all.
So downgrade the dependency to "Suggests", as it seems a reasonable
level when checking its documented meaning:
> This is used to declare that one package may be more useful with
> one or more others. Using this field tells the packaging system and
> the user that the listed packages are related to this one and can
> perhaps enhance its usefulness, but that installing this one without
> them is perfectly reasonable.
-- [1]
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895201
[1]: https://www.debian.org/doc/debian-policy/ch-relationships.html
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- debian/clean: Add files that were not being automatically cleaned
up by dh(1)'s `clean` target.
- debian/control:
- Add new recommended/required fields and bump Standards-Version.
- Remove redundant build dependencies that are implied transitively.
- Bump debhelper dependency version to match debian/compat.
- Move swtpm-libs's ${misc:Pre-Depends} dependency to `Pre-Depends`.
Resolves `depends-on-misc-pre-depends` Lintian warning.
- Sort packages and dependency lists alphabetically as per
wrap-and-sort(1).
- debian/not-installed: List deliberately non-installed files to
avoid dh_missing(1) warnings.
- debian/rules:
- Pass --no-scripts to dh_makeshlibs(1) in order to keep a
ldconfig(8) trigger from being implicitly added, which for
this package was redundant and triggered Lintian warning
`package-has-unnecessary-activation-of-ldconfig-trigger`.
- Remove redundant --parallel dh flag.
- Remove redundant dh_usrlocal override.
- debian/*.install:
- Add swtpm-create-tpmca(8) and its manpage, which were missing.
- Remove redundant `#! /usr/bin/dh-exec` lines.
- Sort entries alphabetically as per wrap-and-sort(1).
- debian/swtpm-tools.postinst.in: Add `set -e` to fail in case of
error. Fixes `maintainer-script-ignores-errors` Lintian warning.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Thos patch fixes the following issue when building a Debian package:
dh clean --parallel
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_auto_clean -O--parallel
dh_auto_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_clean -O--parallel
dh_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dpkg-source -b .
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
$ dpkg-buildpackage -us -uc
dpkg-buildpackage: info: source package swtpm
dpkg-buildpackage: info: source version 0.5.0-1
dpkg-buildpackage: info: source distribution RELEASED
dpkg-buildpackage: info: source changed by Stefan Berger <stefanb@linux.ibm.com>
dpkg-source: error: can't build with source format '3.0 (native)':
native package version may not have a revision
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
The only place where pip is required is in src/swtpm_setup/Makefile.am, l. 48,
to uninstall a manually built package. Most people will have pip already
installed, since it comes bundled with Python by default. It might not be
installed by default in minimal build environments used for distribution
packaging, but these rely on the file tracking by a package manager instead of
using "make uninstall".
In conclusion, I think requiring pip is only helpful for a very limited number
of people, and is just a superfluous build dependency for distribution
packagers. Issuing a warning that the package cannot be uninstalled cleanly if
pip is not found seems enough.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove swtpm_cuse related install script since not needed anymore.
Also address the following issues:
E: swtpm-tools: unknown-control-interpreter control/postinst #!/usr/bin/env
W: swtpm: syntax-error-in-debian-changelog line 25 "bad key-value after `;': `urgency medium'"
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the CUSE TPM from the build and adjust the rules file
so that the build works on Ubuntu servers for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
