Ubuntu
libvirt package

Merge ~hectorcao/ubuntu/+source/libvirt:lp2120278-noble into ubuntu/+source/libvirt:ubuntu/noble-devel

  1. Git
  2. lp:~hectorcao/ubuntu/+source/libvirt
  3. lp2120278-noble
  4. Merge into ubuntu/noble-devel
Proposed by Hector CAO
Status: Needs review
Proposed branch: ~hectorcao/ubuntu/+source/libvirt:lp2120278-noble
Merge into: ubuntu/+source/libvirt:ubuntu/noble-devel
Diff against target: 90 lines (+68/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+60/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt (community) Approve
git-ubuntu import Pending
Review via email: mp+492652@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Approved - for more details see the plucky variant https://code.launchpad.net/~hectorcao/ubuntu/+source/libvirt/+git/libvirt/+merge/492653

review: Approve
Reply
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Combined two fixes that were ready and uploaded

Uploading libvirt_10.0.0-2ubuntu8.9.dsc
Uploading libvirt_10.0.0-2ubuntu8.9.debian.tar.xz
Uploading libvirt_10.0.0-2ubuntu8.9_source.buildinfo
Uploading libvirt_10.0.0-2ubuntu8.9_source.changes

Reply

Unmerged commits

e333837... by Hector CAO

changelog

2881783... by Hector CAO

d/p/u-aa/lp2120278-*: virt-aa-helper: Avoid duplicate when append rule (LP: #2120278)

Signed-off-by: Hector Cao <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 86d7472..a57fc7a 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (10.0.0-2ubuntu8.9) noble; urgency=medium
7+
8+ * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
9+ (LP: #2120278)
10+
11+ -- Hector Cao <hector.cao@canonical.com> Wed, 17 Sep 2025 01:20:45 +0200
12+
13 libvirt (10.0.0-2ubuntu8.8) noble; urgency=medium
14
15 [ Lukas Märdian ]
16diff --git a/debian/patches/series b/debian/patches/series
17index 66f6acd..14dab0f 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -61,3 +61,4 @@ ubuntu-aa/virt-aa-helper-allow-riscv64-EDK-II.patch
21 ubuntu/lp-2084136-fix-get-number-block-io-throttle-params.patch
22 ubuntu-aa/lp-2100024-Allow-SGX-if-configured.patch
23 ubuntu/lp2106812-cpu_map-Drop-mpx-from-x86-cpu-models.patch
24+ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
25diff --git a/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch b/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
26new file mode 100644
27index 0000000..5b36e59
28--- /dev/null
29+++ b/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
30@@ -0,0 +1,60 @@
31+From 35862b423aaf58c2a0e06a8d60b1298ea711d0a1 Mon Sep 17 00:00:00 2001
32+From: Hector Cao <hector.cao@canonical.com>
33+Date: Wed, 17 Sep 2025 01:32:24 +0200
34+Subject: [PATCH] virt-aa-helper: Avoid duplicate when append rule
35+
36+when a device is dynamically attached to a VM, and it needs a special
37+system access for apparmor, libvirt calls virt-aa-helper (with argument -F)
38+to append a new rule to the apparmor profile of the VM. virt-aa-helper does
39+not check for duplicate and blindly appends the rule to the profile. since
40+there is no rule removal when a device is detached, this can make the profile
41+grow in size if a big number of attach/detach operations are done and the
42+profile might hit the size limit and futur attach operations might dysfunction
43+because no rule can be added into the apparmor profile.
44+
45+this patch tries to mitigate this issue by doing a duplicate check
46+when rules are appended into the profile. this fix does not guarantee
47+the absence of duplicates but should be enough to prevent the profile
48+to grow significantly in size and reach its size limit.
49+
50+Signed-off-by: Hector CAO <hector.cao@canonical.com>
51+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
52+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
53+
54+Origin: backport, https://github.com/libvirt/libvirt/commit/291dbefd074378df6b541fc1c19d3504279e069b
55+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/2120278
56+---
57+ src/security/virt-aa-helper.c | 15 +++++++++++++--
58+ 1 file changed, 13 insertions(+), 2 deletions(-)
59+
60+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
61+index 0374581f07..008ea4f3e0 100644
62+--- a/src/security/virt-aa-helper.c
63++++ b/src/security/virt-aa-helper.c
64+@@ -215,10 +215,21 @@ update_include_file(const char *include_file, const char *included_files,
65+ return rc;
66+ }
67+
68+- if (append && virFileExists(include_file))
69++ if (append && existing) {
70++ /* Duplicate check: include_files might contain multiple rules
71++ * the best is to check for each rule (separated by \n) but
72++ * it might be overkilled, just do the check for the whole
73++ * include_files.
74++ * Most of the time, include_files contains only one rule
75++ * so this check is OK to avoid the overflow of the profile
76++ * duplicates might still exist though.
77++ */
78++ if (strstr(existing, included_files) != NULL)
79++ return 0;
80+ pcontent = g_strdup_printf("%s%s", existing, included_files);
81+- else
82++ } else {
83+ pcontent = g_strdup_printf("%s%s", warning, included_files);
84++ }
85+
86+ plen = strlen(pcontent);
87+ if (plen > MAX_FILE_LEN) {
88+--
89+2.45.2
90+

Subscribers

People subscribed via source and target branches