Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1890858-fix-connectivity-FOCAL into ubuntu/+source/libvirt:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. lp-1890858-fix-connectivity-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: dc34361772c316d8c94c3cb9de94011eaf9f5491
Merge reported by: Christian Ehrhardt 
Merged at revision: dc34361772c316d8c94c3cb9de94011eaf9f5491
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1890858-fix-connectivity-FOCAL
Merge into: ubuntu/+source/libvirt:ubuntu/focal-devel
Diff against target: 52 lines (+30/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch (+22/-0)
Reviewer Review Type Date Requested Status
Robie Basak sru Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+404124@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4582
SRU Bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1890858

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Held back for the new insights into systemd's involvement into this.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ok, new input resolved - I update this MP to contain the new better rule.

P.S. the central rule might later (independent) be added in abstractions/nameservices but this is independent to this fix as e.g. libvirt would not immediately benefit from the abstraction fix anyway (and it would open up much more than wanted).

Revision history for this message
Robie Basak (racb) wrote :

Perfect, and great job in working the bug as well as finding the solution!

review: Approve (sru)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you!

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/libvirt
 * [new tag] upload/6.0.0-0ubuntu8.10 -> upload/6.0.0-0ubuntu8.10

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading libvirt_6.0.0-0ubuntu8.10.dsc: done.
  Uploading libvirt_6.0.0-0ubuntu8.10.debian.tar.xz: done.
  Uploading libvirt_6.0.0-0ubuntu8.10_source.buildinfo: done.
  Uploading libvirt_6.0.0-0ubuntu8.10_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This migrated

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index fa7efba..d201ca8 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (6.0.0-0ubuntu8.10) focal; urgency=medium
7+
8+ * d/p/ubuntu-aa/lp-1890858-unix-socket.patch: avoid issues of some users
9+ to connect to libvirtd (LP: #1890858)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 14 Jun 2021 14:36:04 +0200
12+
13 libvirt (6.0.0-0ubuntu8.9) focal; urgency=medium
14
15 * d/p/u/lp-1921754*: add EPYC-Rome-v2 as v1 missed IBRS and thereby fails
16diff --git a/debian/patches/series b/debian/patches/series
17index 33f754c..d4e8461 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -155,3 +155,4 @@ ubuntu/lp-1922907-cputest-Add-data-for-Intel-R-Xeon-R-Platinum-9242-CP.patch
21 ubuntu/lp-1922907-cputest-Add-data-for-Intel-R-Xeon-R-Gold-6130-CPU.patch
22 ubuntu/lp-1922907-cpu_map-Distinguish-Cascadelake-Server-from-Skylake-.patch
23 ubuntu/lp-1922907-cleanup-test-data.patch
24+ubuntu-aa/lp-1890858-unix-socket.patch
25diff --git a/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch b/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch
26new file mode 100644
27index 0000000..6622e34
28--- /dev/null
29+++ b/debian/patches/ubuntu-aa/lp-1890858-unix-socket.patch
30@@ -0,0 +1,22 @@
31+Description: allow network unix dgram for NSS UID resolution
32+ Certain conditions - aong others non local users - can in Focal
33+ trigger libvirt to call for NSS resolving usernames.
34+ That is done through a unix socket bind/call which is denied
35+ by apparmor. In some cases that is crashing libvirtd and in others
36+ it "only" denies the user from using libvirtd.
37+Forwarded: no
38+X-Not-Forwarded-Reason: not a problem for latter libvirt versions - Ubuntu Focal only
39+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
40+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1890858
41+Last-Update: 2021-06-14
42+--- a/src/security/apparmor/usr.sbin.libvirtd
43++++ b/src/security/apparmor/usr.sbin.libvirtd
44+@@ -46,6 +46,8 @@ profile libvirtd /usr/sbin/libvirtd flag
45+ network netlink raw,
46+ network packet dgram,
47+ network packet raw,
48++ # For UID resolution in Focal (LP: #1890858)
49++ unix (bind) type=dgram addr=@userdb-*,
50+
51+ # for --p2p migrations
52+ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),

Subscribers

People subscribed via source and target branches