platform/local/tpm: create swtpm socket in temp directory under /tmp#860
Open
zhijianli88 wants to merge 1 commit into
Open
platform/local/tpm: create swtpm socket in temp directory under /tmp#860zhijianli88 wants to merge 1 commit into
zhijianli88 wants to merge 1 commit into
Conversation
The swtpm unix socket was created relative to the test output directory under _kola_temp/, which triggers AppArmor denials for the swtpm profile on systems with AppArmor enabled: - mantle debug log: 2026-06-10T08:40:19Z util: dnsmasq-dhcp[30]: RTR-SOLICIT(kola-2616517) 6e:2a:7b:93:45:aa === RUN cl.tpm.eventlog 2026-06-10T08:40:22Z platform/local: Prepared swtpm process "/usr/bin/swtpm socket --tpmstate dir=./tpm --ctrl type=unixio,path=./tpm/socket --tpm2" with CWD "_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639" 2026-06-10T08:40:22Z platform/local: swtpm PID: 40 2026-06-10T08:40:22Z util: swtpm: Could not open UnixIO socket: Permission denied 2026-06-10T08:40:22Z platform: disabling auto-read-only for QEMU drives 2026-06-10T08:40:22Z platform/machine/qemu: NewMachine: ["qemu-system-aarch64" "-machine" "virt" "-cpu" "cortex-a57" "-m" "2512" "-smp" "4" "-uuid" "e2eba778-2553-4563-a150-2e2e40d61639" "-display" "none" "-chardev" "file,id=log,path=console.txt" "-serial" "chardev:log" "-object" "rng-random,filename=/dev/urandom,id=rng0" "-device" "virtio-rng-pci,rng=rng0" "-drive" "if=pflash,unit=0,file=/work/__build__/images/images/arm64-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2,format=qcow2,readonly=on" "-drive" "if=pflash,unit=1,file=flatcar_production_qemu_uefi_efi_vars.qcow2,format=qcow2" "-chardev" "socket,id=chrtpm,path=tpm/socket" "-tpmdev" "emulator,id=tpm0,chardev=chrtpm" "-device" "tpm-tis-device,tpmdev=tpm0" "-fw_cfg" "name=opt/org.flatcar-linux/config,file=ignition.json" "-add-fd" "fd=3,set=1" "-drive" "if=none,id=d3,format=qcow2,file=/dev/fdset/1,auto-read-only=off" "-device" "virtio-blk-device,drive=d3,serial=primary-disk,bootindex=1" "-netdev" "tap,id=tap,fd=4" "-device" "virtio-net-device,netdev=tap,mac=02:00:00:00:00:02"], cwd: "_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639", "10.0.0.2", "10.0.0.2" 2026-06-10T08:40:22Z platform/machine/qemu: qemu PID (manual cleanup needed if --remove=false): 50 qemu-system-aarch64: -chardev socket,id=chrtpm,path=tpm/socket: Failed to connect to 'tpm/socket': No such file or directory 2026-06-10T08:40:23Z util: dnsmasq-dhcp[30]: RTR-SOLICIT(kola-2616517) 6e:2a:7b:93:45:aa 2026-06-10T08:40:28Z util: dnsmasq-dhcp[30]: RTR-ADVERT(br0) fd00:: - host kernel audit: journalctl -xe | grep 'DENIED.*swtpm' | tail -n 20 Jun 10 17:40:22 localhost kernel: audit: type=1400 audit(1781080822.038:163): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/__TESTS__/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828693 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jun 10 17:43:39 localhost kernel: audit: type=1400 audit(1781081019.925:164): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/__TESTS__/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828926 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jun 10 17:43:47 localhost kernel: audit: type=1400 audit(1781081027.251:165): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/__TESTS__/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828943 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 The test runs inside a container managed by run_local_tests.sh which mounts the current directory into the container. The socket created under the mounted directory is subject to the host's AppArmor policy for the swtpm profile. Create the socket in a temporary directory under /tmp/ instead, using os.MkdirTemp. This avoids the AppArmor restriction and prevents collisions between concurrent test runs. The SocketRelativePathFromTestDir method is renamed to SocketPath and now returns an absolute path, since the socket is no longer placed relative to the test directory. Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The swtpm unix socket was created relative to the test output directory under _kola_temp/, which triggers AppArmor denials for the swtpm profile on systems with AppArmor enabled:
mantle debug log:
2026-06-10T08:40:19Z util: dnsmasq-dhcp[30]: RTR-SOLICIT(kola-2616517) 6e:2a:7b:93:45:aa
=== RUN cl.tpm.eventlog 2026-06-10T08:40:22Z platform/local: Prepared swtpm process "/usr/bin/swtpm socket --tpmstate dir=./tpm --ctrl type=unixio,path=./tpm/socket --tpm2" with CWD "_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639"
2026-06-10T08:40:22Z platform/local: swtpm PID: 40
2026-06-10T08:40:22Z util: swtpm: Could not open UnixIO socket: Permission denied
2026-06-10T08:40:22Z platform: disabling auto-read-only for QEMU drives
2026-06-10T08:40:22Z platform/machine/qemu: NewMachine: ["qemu-system-aarch64" "-machine" "virt" "-cpu" "cortex-a57" "-m" "2512" "-smp" "4" "-uuid" "e2eba778-2553-4563-a150-2e2e40d61639" "-display" "none" "-chardev" "file,id=log,path=console.txt" "-serial" "chardev:log" "-object" "rng-random,filename=/dev/urandom,id=rng0" "-device" "virtio-rng-pci,rng=rng0" "-drive" "if=pflash,unit=0,file=/work/build/images/images/arm64-usr/latest/flatcar_production_qemu_uefi_efi_code.qcow2,format=qcow2,readonly=on" "-drive" "if=pflash,unit=1,file=flatcar_production_qemu_uefi_efi_vars.qcow2,format=qcow2" "-chardev" "socket,id=chrtpm,path=tpm/socket" "-tpmdev" "emulator,id=tpm0,chardev=chrtpm" "-device" "tpm-tis-device,tpmdev=tpm0" "-fw_cfg" "name=opt/org.flatcar-linux/config,file=ignition.json" "-add-fd" "fd=3,set=1" "-drive" "if=none,id=d3,format=qcow2,file=/dev/fdset/1,auto-read-only=off" "-device" "virtio-blk-device,drive=d3,serial=primary-disk,bootindex=1" "-netdev" "tap,id=tap,fd=4" "-device" "virtio-net-device,netdev=tap,mac=02:00:00:00:00:02"], cwd: "_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639", "10.0.0.2", "10.0.0.2"
2026-06-10T08:40:22Z platform/machine/qemu: qemu PID (manual cleanup needed if --remove=false): 50
qemu-system-aarch64: -chardev socket,id=chrtpm,path=tpm/socket: Failed to connect to 'tpm/socket': No such file or directory
2026-06-10T08:40:23Z util: dnsmasq-dhcp[30]: RTR-SOLICIT(kola-2616517) 6e:2a:7b:93:45:aa
2026-06-10T08:40:28Z util: dnsmasq-dhcp[30]: RTR-ADVERT(br0) fd00::
host kernel audit:
journalctl -xe | grep 'DENIED.*swtpm' | tail -n 20 Jun 10 17:40:22 ledyba kernel: audit: type=1400 audit(1781080822.038:163): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/TESTS/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828693 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jun 10 17:43:39 ledyba kernel: audit: type=1400 audit(1781081019.925:164): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/TESTS/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828926 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jun 10 17:43:47 ledyba kernel: audit: type=1400 audit(1781081027.251:165): apparmor="DENIED" operation="mknod" class="file" profile="swtpm" name="/work/TESTS/qemu_uefi/_kola_temp/qemu-2026-06-10-0840-13/cl.tpm.eventlog/e2eba778-2553-4563-a150-2e2e40d61639/tpm/socket" pid=1828943 comm="swtpm" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The test runs inside a container managed by run_local_tests.sh which mounts the current directory into the container. The socket created under the mounted directory is subject to the host's AppArmor policy for the swtpm profile.
Create the socket in a temporary directory under /tmp/ instead, using os.MkdirTemp. This avoids the AppArmor restriction and prevents collisions between concurrent test runs.
The SocketRelativePathFromTestDir method is renamed to SocketPath and now returns an absolute path, since the socket is no longer placed relative to the test directory.
[Title: describe the change in one sentence]
[ describe the change in 1 - 3 paragraphs ]
How to use
[ describe what reviewers need to do in order to validate this PR ]
Testing done
[Describe the testing you have done before submitting this PR. Please include both the commands you issued as well as the output you got.]
changelog/directory (user-facing change, bug fix, security fix, update)/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.