Merge ~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2 into ubuntu/+source/libvirt:ubuntu/jammy-devel

Proposed by Christian Ehrhardt 
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 34dcf774abdace4d5d50a7c9eac9ceca8bc75eb7
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2
Merge into: ubuntu/+source/libvirt:ubuntu/jammy-devel
Diff against target: 88 lines (+66/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch (+58/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+430945@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote (last edit ):

Thanks, Christian.

dep8 tests passed:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-paelzer-lp-1990499-libvirt-riscv64-apparmor/?format=plain)
  libvirt @ amd64:
    04.10.22 09:58:17 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ arm64:
    04.10.22 10:06:03 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ armhf:
    04.10.22 09:58:33 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ ppc64el:
    04.10.22 10:05:36 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ s390x:
    04.10.22 09:56:53 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3

Changes LGTM. I was able to reproduce the failure and verify that the packages from your PPA fix the problem. I took the liberty to improve the Test Plan a bit.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, sergiodj
Uploaders: paelzer, sergiodj
MP auto-approved

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I see that the upload fixing bug 1989078 has just been accepted, so this will need a rebase + version bump.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yep, there seems to be always one more in the queue for the virt stack.
Qemu also just had one released for the next to enter :-)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Rebased and bumped, since this is a minimal change I consider it still approved.
Uploading ...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index a06a29b..7b0c2a2 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (8.0.0-1ubuntu7.3) jammy; urgency=medium
7+
8+ * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
9+ easen the use of riscv64 through libvirt (LP: #1990499)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 04 Oct 2022 08:33:14 +0200
12+
13 libvirt (8.0.0-1ubuntu7.2) jammy; urgency=medium
14
15 * d/p/u/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch: allow arm64
16diff --git a/debian/patches/series b/debian/patches/series
17index 36f7453..e89d1a5 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -34,3 +34,4 @@ ubuntu/swtpm-by-swtpm-user.patch
21 ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
22 ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch
23 ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
24+ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
25diff --git a/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch b/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
26new file mode 100644
27index 0000000..f486fe1
28--- /dev/null
29+++ b/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
30@@ -0,0 +1,58 @@
31+From 31ea9433aadacd08462faaa3e4b8a3f5949a7d7a Mon Sep 17 00:00:00 2001
32+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
33+Date: Tue, 27 Sep 2022 11:03:07 +0200
34+Subject: [PATCH] virt-aa-helper: allow common riscv64 loader paths
35+
36+Riscv64 usually uses u-boot as external -kernel and a loader from
37+the open implementation of RISC-V SBI. The paths for those binaries
38+as packaged in Debian and Ubuntu are in paths which are usually
39+forbidden to be added by the user under /usr/lib...
40+
41+People used to start riscv64 guests only manually via qemu cmdline,
42+but trying to encapsulate that via libvirt now causes failures when
43+starting the guest due to the apparmor isolation not allowing that:
44+ virt-aa-helper: error: skipped restricted file
45+ virt-aa-helper: error: invalid VM definition
46+
47+Explicitly allow the sub-paths used by u-boot-qemu and opensbi
48+under /usr/lib/ as readonly rules.
49+
50+Fixes: https://launchpad.net/bugs/1990499
51+
52+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
53+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
54+
55+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/31ea9433
56+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1990499
57+Last-Update: 2022-10-04
58+
59+---
60+ src/security/virt-aa-helper.c | 12 +++++++-----
61+ 1 file changed, 7 insertions(+), 5 deletions(-)
62+
63+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
64+index f338488da3..ceadaef99b 100644
65+--- a/src/security/virt-aa-helper.c
66++++ b/src/security/virt-aa-helper.c
67+@@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly)
68+ "/initrd",
69+ "/initrd.img",
70+ "/usr/share/edk2/",
71+- "/usr/share/OVMF/", /* for OVMF images */
72+- "/usr/share/ovmf/", /* for OVMF images */
73+- "/usr/share/AAVMF/", /* for AAVMF images */
74+- "/usr/share/qemu-efi/", /* for AAVMF images */
75+- "/usr/share/qemu-efi-aarch64/" /* for AAVMF images */
76++ "/usr/share/OVMF/", /* for OVMF images */
77++ "/usr/share/ovmf/", /* for OVMF images */
78++ "/usr/share/AAVMF/", /* for AAVMF images */
79++ "/usr/share/qemu-efi/", /* for AAVMF images */
80++ "/usr/share/qemu-efi-aarch64/", /* for AAVMF images */
81++ "/usr/lib/u-boot/", /* u-boot loaders for qemu */
82++ "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
83+ };
84+ /* override the above with these */
85+ const char * const override[] = {
86+--
87+2.37.3
88+

Subscribers

People subscribed via source and target branches