Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:fix-lp-1879325-metadata-GROOVY into ubuntu/+source/libvirt:ubuntu/groovy-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. fix-lp-1879325-metadata-GROOVY
  4. Merge into ubuntu/groovy-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merged at revision: 92c232ffe510f509fe47ad10ad9b31f75b0fb32b
Proposed branch: ~paelzer/ubuntu/+source/libvirt:fix-lp-1879325-metadata-GROOVY
Merge into: ubuntu/+source/libvirt:ubuntu/groovy-devel
Diff against target: 158 lines (+130/-0)
4 files modified
debian/changelog (+7/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch (+44/-0)
debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch (+77/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Pending
Canonical Server packageset reviewers Pending
Review via email: mp+384243@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4068/+packages

WIP until we know from the reporter if this is enough.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Well, let me open up the MPs for pre-review - even though there might be more coming later ...

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

+1 as you said this is a pre-review. I'll do the full review whenever you need.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI updated along my upstream contribution ...
PPA updated as well

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I Pushed an update to the upstream accepted version of the patch (no-op for Ubuntu as the change was for selinux).

Also Updated the PPA with the newest build.

Ready for final-review

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Non case specific regression testing is a few thousand tests in and still working.
Things should be good, let me know if you spot any mistake in the MP, otherwise I'll sponsor later on today.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

# CHECKLIST
----------------------------
 [.] changelog entry correct:
 [.] targeted to correct codename
 [.] version number is correct
 [.] update-maintainer has been run before
 ----
 [.] changes forwarded upstream/debian (if appropriate)
 [.] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [.] patches have correct DEP3 metadata
 ----
 [.] relying on PPA only for build check ?
 [.] if relying on PPA, did it install correctly ?
 ----
 [-] building it locally ?
 [-] if building locally, was source build good ?
 [-] if building locally, was binary build good ?
 ----
 [-] was autopkgtest tested ?
 ----
 [-] is this a SRU ?
 [-] if a SRU, does the public bug have a template ?
 [-] is this a bundle of fixes ?
 [.] is this a single fix ?
 ----
 [.] if single fix, was testcase provided ?
 [-] if single fix, and testcase provided, could I reproduce it ?
 [-] if single fix, and testcase provided, did it work ?
 ----
 [-] is this a MERGE ?
 [-] if MERGE, is there a public bug referred ?
 [-] if MERGE, does it add/remove existing packages ?
 [-] if MERGE, does it bump library SONAME ?
----------------------------
 [.] = ok | [x] = not ok | [?] = question | [!] = note | [-] = n/a
----------------------------
# comments:

all good here, +1.
----

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt
 * [new tag] upload/6.0.0-0ubuntu9 -> upload/6.0.0-0ubuntu9

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading libvirt_6.0.0-0ubuntu9.dsc: done.
  Uploading libvirt_6.0.0-0ubuntu9.debian.tar.xz: done.
  Uploading libvirt_6.0.0-0ubuntu9_source.buildinfo: done.
  Uploading libvirt_6.0.0-0ubuntu9_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index a551db0..78a41da 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (6.0.0-0ubuntu9) groovy; urgency=medium
7+
8+ * d/p/ubuntu/lp-1879325-*: avoid issues with apparmor metadata labeling
9+ (LP: #1879325)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 20 May 2020 06:59:57 +0200
12+
13 libvirt (6.0.0-0ubuntu8) focal; urgency=medium
14
15 * d/control, d/rules: Disable rbd and zfs on riscv64 where they are
16diff --git a/debian/patches/series b/debian/patches/series
17index 3f54079..c5989b2 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -80,3 +80,5 @@ ubuntu/lp-1853200-cpu_map-Don-t-use-new-noTSX-models-for-host-model-CP.patch
21 ubuntu/lp-1868528-util-virhostcpu-Fail-when-fetching-CPU-Stats-for-inv.patch
22 ubuntu-aa/lp-1871354-apparmor-avoid-denials-on-libpmem-initialization.patch
23 ubuntu/CVE-CVE-2020-10701-api-disallow-virDomainAgentSetResponseTimeout-on-rea.patch
24+ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch
25+ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
26diff --git a/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch b/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch
27new file mode 100644
28index 0000000..a92307a
29--- /dev/null
30+++ b/debian/patches/ubuntu/lp-1879325-Don-t-require-secdrivers-to-implement-.domainMoveIma.patch
31@@ -0,0 +1,44 @@
32+From cc8c297e473afd55e5d8e35e18345d8df176059d Mon Sep 17 00:00:00 2001
33+From: Michal Privoznik <mprivozn@redhat.com>
34+Date: Mon, 18 May 2020 10:07:30 +0200
35+Subject: [PATCH] Don't require secdrivers to implement
36+ .domainMoveImageMetadata
37+
38+The AppArmor secdriver does not use labels to grant access to
39+resources. Therefore, it doesn't use XATTRs and hence it lacks
40+implementation of .domainMoveImageMetadata callback. This leads
41+to a harmless but needless error message appearing in the logs:
42+
43+ virSecurityManagerMoveImageMetadata:476 : this function is not
44+ supported by the connection driver: virSecurityManagerMoveImageMetadata
45+
46+Closes: https://gitlab.com/libvirt/libvirt/-/issues/25
47+
48+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
49+Reviewed-by: Erik Skultety <eskultet@redhat.com>
50+
51+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=cc8c297e473afd55e5d8e35e18345d
52+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325
53+Last-Update: 2020-05-20
54+
55+---
56+ src/security/security_manager.c | 3 +--
57+ 1 file changed, 1 insertion(+), 2 deletions(-)
58+
59+diff --git a/src/security/security_manager.c b/src/security/security_manager.c
60+index 2dea294784..b1237d63b6 100644
61+--- a/src/security/security_manager.c
62++++ b/src/security/security_manager.c
63+@@ -473,8 +473,7 @@ virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
64+ return ret;
65+ }
66+
67+- virReportUnsupportedError();
68+- return -1;
69++ return 0;
70+ }
71+
72+
73+--
74+2.26.0
75+
76diff --git a/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch b/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
77new file mode 100644
78index 0000000..4f3b857
79--- /dev/null
80+++ b/debian/patches/ubuntu/lp-1879325-security-don-t-fail-if-built-without-attr-support.patch
81@@ -0,0 +1,77 @@
82+From 55029d93150e33d70b02b6de2b899c05054c5d3a Mon Sep 17 00:00:00 2001
83+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
84+Date: Tue, 26 May 2020 09:33:38 +0200
85+Subject: [PATCH] security: don't fail if built without attr support
86+
87+If built without attr support removing any image will trigger
88+ qemuBlockRemoveImageMetadata (the one that emits the warning)
89+ -> qemuSecurityMoveImageMetadata
90+ -> virSecurityManagerMoveImageMetadata
91+ -> virSecurityDACMoveImageMetadata
92+ -> virSecurityDACMoveImageMetadataHelper
93+ -> virProcessRunInFork (spawns subprocess)
94+ -> virSecurityMoveRememberedLabel
95+
96+In there due to !HAVE_LIBATTR virFileGetXAttrQuiet will return
97+ENOSYS and from there the chain will error out.
98+
99+That is wrong and looks like:
100+ libvirtd[6320]: internal error: child reported (status=125):
101+ libvirtd[6320]: Unable to remove disk metadata on vm testguest from
102+ /var/lib/uvtool/libvirt/images/testguest.qcow (disk target vda)
103+
104+This change makes virSecurityDACMoveImageMetadataHelper and
105+virSecuritySELinuxMoveImageMetadataHelper accept that
106+error code gracefully and in that sense it is an extension of:
107+5214b2f1a3f "security: Don't skip label restore on file systems lacking XATTRs"
108+which does the same for other call chains into the virFile*XAttr functions.
109+
110+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
111+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
112+
113+Origin: upstream, https://libvirt.org/git/?p=libvirt.git;a=commit;h=55029d93150e33d70b02b6de2b899c05054c5d3a
114+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879325
115+Last-Update: 2020-05-27
116+
117+---
118+ src/security/security_dac.c | 6 ++++++
119+ src/security/security_selinux.c | 6 ++++++
120+ 2 files changed, 12 insertions(+)
121+
122+diff --git a/src/security/security_dac.c b/src/security/security_dac.c
123+index bdc2d7edf3..7b95a6f86d 100644
124+--- a/src/security/security_dac.c
125++++ b/src/security/security_dac.c
126+@@ -1117,6 +1117,12 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
127+
128+ ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst);
129+ virSecurityManagerMetadataUnlock(data->mgr, &state);
130++
131++ if (ret == -2) {
132++ /* Libvirt built without XATTRS */
133++ ret = 0;
134++ }
135++
136+ return ret;
137+ }
138+
139+diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
140+index 9a929debe1..7bb7c2b7b1 100644
141+--- a/src/security/security_selinux.c
142++++ b/src/security/security_selinux.c
143+@@ -1975,6 +1975,12 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
144+
145+ ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst);
146+ virSecurityManagerMetadataUnlock(data->mgr, &state);
147++
148++ if (ret == -2) {
149++ /* Libvirt built without XATTRS */
150++ ret = 0;
151++ }
152++
153+ return ret;
154+ }
155+
156+--
157+2.26.0
158+

Subscribers

People subscribed via source and target branches