Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2 into ubuntu/+source/libvirt:ubuntu/jammy-devel

Git
lp:~paelzer/ubuntu/+source/libvirt
lp-1990499-riscv64-loader-apparmor-JAMMY-v2
Merge into ubuntu/jammy-devel

Proposed by Christian Ehrhardt  on 2022-10-04

Status:

Merged

Approved by:

git-ubuntu bot on 2022-10-04

Approved revision:

not available

Merged at revision:

34dcf774abdace4d5d50a7c9eac9ceca8bc75eb7

Proposed branch:

~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2

Merge into:

ubuntu/+source/libvirt:ubuntu/jammy-devel

Diff against target:

88 lines (+66/-0)

3 files modified

debian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch (+58/-0)

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot	2022-10-04	Approve on 2022-10-04
Sergio Durigan Junior (community)	2022-10-04	Approve on 2022-10-04
Canonical Server Reporter	2022-10-04	Pending
Review via email: mp+430945@code.launchpad.net

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-10-04:

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/lp-1990499-libvirt-riscv64-apparmor

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-10-04 (last edit on 2022-10-04):

Thanks, Christian.

dep8 tests passed:

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-jammy-paelzer-lp-1990499-libvirt-riscv64-apparmor/?format=plain)
  libvirt @ amd64:
    04.10.22 09:58:17 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ arm64:
    04.10.22 10:06:03 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ armhf:
    04.10.22 09:58:33 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ ppc64el:
    04.10.22 10:05:36 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3
  libvirt @ s390x:
    04.10.22 09:56:53 Log 🗒️ ✅ Triggers: libvirt/8.0.0-1ubuntu7.2~jammyppa3

Changes LGTM. I was able to reproduce the failure and verify that the packages from your PPA fix the problem. I took the liberty to improve the Test Plan a bit.

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2022-10-04:

Approvers: paelzer, sergiodj
Uploaders: paelzer, sergiodj
MP auto-approved

review: Approve

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-10-04:

I see that the upload fixing bug 1989078 has just been accepted, so this will need a rebase + version bump.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-10-05:

Yep, there seems to be always one more in the queue for the virt stack.
Qemu also just had one released for the next to enter :-)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-10-05:

Rebased and bumped, since this is a minimal change I consider it still approved.
Uploading ...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Christian Ehrhardt 

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index a06a29b..7b0c2a2 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,10 @@
++libvirt (8.0.0-1ubuntu7.3) jammy; urgency=medium
++
++  * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
++    easen the use of riscv64 through libvirt (LP: #1990499)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 04 Oct 2022 08:33:14 +0200
++
  libvirt (8.0.0-1ubuntu7.2) jammy; urgency=medium
    * d/p/u/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch: allow arm64
 diff --git a/debian/patches/series b/debian/patches/series
 index 36f7453..e89d1a5 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -34,3 +34,4 @@ ubuntu/swtpm-by-swtpm-user.patch
  ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
  ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch
  ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
++ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
 diff --git a/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch b/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
 new file mode 100644
 index 0000000..f486fe1
 --- /dev/null
 +++ b/debian/patches/ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
@@ -0,0 +1,58 @@
++From 31ea9433aadacd08462faaa3e4b8a3f5949a7d7a Mon Sep 17 00:00:00 2001
++From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
++Date: Tue, 27 Sep 2022 11:03:07 +0200
++Subject: [PATCH] virt-aa-helper: allow common riscv64 loader paths
++
++Riscv64 usually uses u-boot as external -kernel and a loader from
++the open implementation of RISC-V SBI. The paths for those binaries
++as packaged in Debian and Ubuntu are in paths which are usually
++forbidden to be added by the user under /usr/lib...
++
++People used to start riscv64 guests only manually via qemu cmdline,
++but trying to encapsulate that via libvirt now causes failures when
++starting the guest due to the apparmor isolation not allowing that:
++   virt-aa-helper: error: skipped restricted file
++   virt-aa-helper: error: invalid VM definition
++
++Explicitly allow the sub-paths used by u-boot-qemu and opensbi
++under /usr/lib/ as readonly rules.
++
++Fixes: https://launchpad.net/bugs/1990499
++
++Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
++Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
++
++Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/31ea9433
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1990499
++Last-Update: 2022-10-04
++
++---
++ src/security/virt-aa-helper.c | 12 +++++++-----
++ 1 file changed, 7 insertions(+), 5 deletions(-)
++
++diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
++index f338488da3..ceadaef99b 100644
++--- a/src/security/virt-aa-helper.c
+++++ b/src/security/virt-aa-helper.c
++@@ -476,11 +476,13 @@ valid_path(const char *path, const bool readonly)
++         "/initrd",
++         "/initrd.img",
++         "/usr/share/edk2/",
++-        "/usr/share/OVMF/",              /* for OVMF images */
++-        "/usr/share/ovmf/",              /* for OVMF images */
++-        "/usr/share/AAVMF/",             /* for AAVMF images */
++-        "/usr/share/qemu-efi/",          /* for AAVMF images */
++-        "/usr/share/qemu-efi-aarch64/"   /* for AAVMF images */
+++        "/usr/share/OVMF/",                  /* for OVMF images */
+++        "/usr/share/ovmf/",                  /* for OVMF images */
+++        "/usr/share/AAVMF/",                 /* for AAVMF images */
+++        "/usr/share/qemu-efi/",              /* for AAVMF images */
+++        "/usr/share/qemu-efi-aarch64/",      /* for AAVMF images */
+++        "/usr/lib/u-boot/",                  /* u-boot loaders for qemu */
+++        "/usr/lib/riscv64-linux-gnu/opensbi" /* RISC-V SBI implementation */
++     };
++     /* override the above with these */
++     const char * const override[] = {
++--
++2.37.3
++

Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2 into ubuntu/+source/libvirt:ubuntu/jammy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntulibvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1990499-riscv64-loader-apparmor-JAMMY-v2 into ubuntu/+source/libvirt:ubuntu/jammy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
libvirt package