Ubuntu
libvirt package

Merge ~hectorcao/ubuntu/+source/libvirt:lp2120278-plucky into ubuntu/+source/libvirt:ubuntu/plucky-devel

  1. Git
  2. lp:~hectorcao/ubuntu/+source/libvirt
  3. lp2120278-plucky
  4. Merge into ubuntu/plucky-devel
Proposed by Hector CAO
Status: Needs review
Proposed branch: ~hectorcao/ubuntu/+source/libvirt:lp2120278-plucky
Merge into: ubuntu/+source/libvirt:ubuntu/plucky-devel
Diff against target: 89 lines (+67/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch (+59/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt (community) Approve
git-ubuntu import Pending
Review via email: mp+492653@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Target release, target version, changelog, patch header, all seems good to me.

Usually we (server team habit) directly couple this with a PPA for testing, but here we might combine it with other fixes for the SRU so it is ok to not have that (save the busy builders some work)

+1 (with a hint)

review: Approve
Reply
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Combined two fixes that were ready and uploaded

Uploading libvirt_11.0.0-2ubuntu6.3.dsc
Uploading libvirt_11.0.0-2ubuntu6.3.debian.tar.xz
Uploading libvirt_11.0.0-2ubuntu6.3_source.buildinfo
Uploading libvirt_11.0.0-2ubuntu6.3_source.changes

Reply

Unmerged commits

d406101... by Hector CAO

changelog

a07c2a9... by Hector CAO

d/p/u-aa/lp2120278-*: virt-aa-helper: Avoid duplicate when append rule (LP: #2120278)

Signed-off-by: Hector Cao <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 271948d..acc2092 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (11.0.0-2ubuntu6.3) plucky; urgency=medium
7+
8+ * d/p/u-aa/lp2079869-* : virt-aa-helper: Avoid duplicate when append rule
9+ (LP: #2120278)
10+
11+ -- Hector Cao <hector.cao@canonical.com> Wed, 17 Sep 2025 01:13:17 +0200
12+
13 libvirt (11.0.0-2ubuntu6.2) plucky; urgency=medium
14
15 * l-d-config-network.postinst: clear 'autostarted' state, to activate
16diff --git a/debian/patches/series b/debian/patches/series
17index d4294f1..6bdac62 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -29,3 +29,4 @@ ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch
21 ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
22 ubuntu-aa/lp2079869-allow-access-for-bridge-helper-to-sys-devices-system.patch
23 ubuntu-aa/lp-2100024-Allow-SGX-if-configured.patch
24+ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
25diff --git a/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch b/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
26new file mode 100644
27index 0000000..6e5cc21
28--- /dev/null
29+++ b/debian/patches/ubuntu-aa/lp2120278-virt-aa-helper-Avoid-duplicate-when-append-rule.patch
30@@ -0,0 +1,59 @@
31+From: Hector Cao <hector.cao@canonical.com>
32+Subject: virt-aa-helper: Avoid duplicate when append rule
33+
34+when a device is dynamically attached to a VM, and it needs a special
35+system access for apparmor, libvirt calls virt-aa-helper (with argument -F)
36+to append a new rule to the apparmor profile of the VM. virt-aa-helper does
37+not check for duplicate and blindly appends the rule to the profile. since
38+there is no rule removal when a device is detached, this can make the profile
39+grow in size if a big number of attach/detach operations are done and the
40+profile might hit the size limit and futur attach operations might dysfunction
41+because no rule can be added into the apparmor profile.
42+
43+this patch tries to mitigate this issue by doing a duplicate check
44+when rules are appended into the profile. this fix does not guarantee
45+the absence of duplicates but should be enough to prevent the profile
46+to grow significantly in size and reach its size limit.
47+
48+Signed-off-by: Hector CAO <hector.cao@canonical.com>
49+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
50+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
51+
52+Origin: upstream, https://github.com/libvirt/libvirt/commit/291dbefd074378df6b541fc1c19d3504279e069b
53+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/2120278
54+
55+---
56+ src/security/virt-aa-helper.c | 15 +++++++++++++--
57+ 1 file changed, 13 insertions(+), 2 deletions(-)
58+
59+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
60+index b662d971cb..8a297d4b54 100644
61+--- a/src/security/virt-aa-helper.c
62++++ b/src/security/virt-aa-helper.c
63+@@ -208,10 +208,21 @@ update_include_file(const char *include_file, const char *included_files,
64+ return -1;
65+ }
66+
67+- if (append && virFileExists(include_file))
68++ if (append && existing) {
69++ /* Duplicate check: include_files might contain multiple rules
70++ * the best is to check for each rule (separated by \n) but
71++ * it might be overkilled, just do the check for the whole
72++ * include_files.
73++ * Most of the time, include_files contains only one rule
74++ * so this check is OK to avoid the overflow of the profile
75++ * duplicates might still exist though.
76++ */
77++ if (strstr(existing, included_files) != NULL)
78++ return 0;
79+ pcontent = g_strdup_printf("%s%s", existing, included_files);
80+- else
81++ } else {
82+ pcontent = g_strdup_printf("%s%s", warning, included_files);
83++ }
84+
85+ plen = strlen(pcontent);
86+ if (plen > MAX_FILE_LEN) {
87+--
88+2.45.2
89+

Subscribers

People subscribed via source and target branches