Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-LUNAR into ubuntu/+source/libvirt:ubuntu/lunar-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. fix-pid-duplication-and-more-1997269-1993304-1996176-LUNAR
  4. Merge into ubuntu/lunar-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: ca8b8e40fc53198ed4a8a708d771066e898f20cf
Proposed branch: ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-LUNAR
Merge into: ubuntu/+source/libvirt:ubuntu/lunar-devel
Diff against target: 218 lines (+177/-0)
5 files modified
debian/changelog (+15/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch (+52/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Reporter Pending
git-ubuntu import Pending
Review via email: mp+433429@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-1997269-1993304-1996176

Based on https://code.launchpad.net/~lvoytek/ubuntu/+source/libvirt/+git/libvirt/+merge/433390 extending it by two more fixes to save us some builds/tests.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[14:57] <lvoytek> [32f->31c] paelzer: The combo upload for libvirt looks good to me. Feel free to use it (re @cpaelzer: lvoytek: if ...)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

https://launchpad.net/ubuntu/+source/libvirt/8.6.0-0ubuntu4

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 22a9983..30e4904 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,18 @@
6+libvirt (8.6.0-0ubuntu4) lunar; urgency=medium
7+
8+ [ Lena Voytek ]
9+ * d/p/u/fix-swtpm-pid-duplication.patch: Clean up swtpm pids after a vm
10+ shuts down (LP: #1997269)
11+
12+ [Christian Ehrhardt ]
13+ * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
14+ apparmor denials on USB forwarding (LP: #1993304)
15+ * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
16+ tolerate the impact of too large udev data avoiding a busy loop
17+ (LP: #1996176)
18+
19+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Nov 2022 11:21:30 +0100
20+
21 libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium
22
23 * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
24diff --git a/debian/patches/series b/debian/patches/series
25index c2f6adb..6b0c1f9 100644
26--- a/debian/patches/series
27+++ b/debian/patches/series
28@@ -14,6 +14,7 @@ ubuntu/lp-1861125-ubuntu-models.patch
29 ubuntu/dnsmasq-as-priv-user
30 ubuntu/ovmf_paths.patch
31 ubuntu/wait-for-qemu-kvm.patch
32+ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
33
34 # Ubuntu Apparmor Changes
35 ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
36@@ -26,3 +27,5 @@ ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
37 ubuntu/swtpm-by-swtpm-user.patch
38 ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
39 ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch
40+ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
41+ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
42diff --git a/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
43new file mode 100644
44index 0000000..ad62376
45--- /dev/null
46+++ b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
47@@ -0,0 +1,49 @@
48+From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
49+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
50+Date: Thu, 17 Nov 2022 09:35:05 +0100
51+Subject: [PATCH] apparmor: allow getattr on usb devices
52+
53+For the handling of usb we already allow plenty of read access,
54+but so far /sys/bus/usb/devices only needed read access to the directory
55+to enumerate the symlinks in there that point to the actual entries via
56+relative links to ../../../devices/.
57+
58+But in more recent systemd with updated libraries a program might do
59+getattr calls on those symlinks. And while symlinks in apparmor usually
60+do not matter, as it is the effective target of an access that has to be
61+allowed, here the getattr calls are on the links themselves.
62+
63+On USB hostdev usage that causes a set of denials like:
64+ apparmor="DENIED" operation="getattr" class="file"
65+ name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
66+ requested_mask="r" denied_mask="r" ...
67+
68+It is safe to read the links, therefore add a rule to allow it to
69+the block of rules that covers the usb related access.
70+
71+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
72+Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
73+
74+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
75+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
76+Last-Update: 2022-11-22
77+
78+---
79+ src/security/apparmor/libvirt-qemu | 1 +
80+ 1 file changed, 1 insertion(+)
81+
82+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
83+index 02ee273e7e..d0289b8943 100644
84+--- a/src/security/apparmor/libvirt-qemu
85++++ b/src/security/apparmor/libvirt-qemu
86+@@ -42,6 +42,7 @@
87+
88+ # For hostdev access. The actual devices will be added dynamically
89+ /sys/bus/usb/devices/ r,
90++ /sys/bus/usb/devices/* r,
91+ /sys/devices/**/usb[0-9]*/** r,
92+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
93+ /run/udev/data/+usb* r,
94+--
95+2.38.1
96+
97diff --git a/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
98new file mode 100644
99index 0000000..16a3e9c
100--- /dev/null
101+++ b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
102@@ -0,0 +1,58 @@
103+From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
104+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
105+Date: Thu, 10 Nov 2022 10:36:28 +0100
106+Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
107+MIME-Version: 1.0
108+Content-Type: text/plain; charset=UTF-8
109+Content-Transfer-Encoding: 8bit
110+
111+Certain udev entries might be of a size that makes libudev emit EINVAL
112+which right now leads to udevEventHandleThread exiting. Due to no more
113+handling events other elements of libvirt will start pushing for events
114+to be consumed which never happens causing a busy loop burning a cpu
115+without any gain.
116+
117+After evaluation of the example case discussed in in #245 and a test
118+run ignoring EINVAL it was considered safe to add EINVAL to the ignored
119+errnos to not exit udevEventHandleThread giving it more resilience.
120+
121+The root cause is in systemd and by now was discussed and fixed via
122+https://github.com/systemd/systemd/issues/24987, but hardening libvirt
123+to be able to better deal with EINVAL returned still is the right thing
124+to avoid the reported busy loops on systemd with older systemd versions.
125+
126+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
127+
128+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
129+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
130+
131+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
132+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
133+Last-Update: 2022-11-22
134+
135+---
136+ src/node_device/node_device_udev.c | 6 ++++--
137+ 1 file changed, 4 insertions(+), 2 deletions(-)
138+
139+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
140+index 24ef1c25a9..2454cab8f8 100644
141+--- a/src/node_device/node_device_udev.c
142++++ b/src/node_device/node_device_udev.c
143+@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
144+ }
145+
146+ /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
147+- * interchangeably when the read would block or timeout was fired
148++ * interchangeably when the read would block or timeout was fired.
149++ * EINVAL might happen on too large udev entries, ignore those for
150++ * the robustness of udevEventHandleThread.
151+ */
152+ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
153+- if (errno != EAGAIN && errno != EWOULDBLOCK) {
154++ if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
155+ VIR_WARNINGS_RESET
156+ virReportSystemError(errno, "%s",
157+ _("failed to receive device from udev "
158+--
159+2.38.1
160+
161diff --git a/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
162new file mode 100644
163index 0000000..ac4dfc9
164--- /dev/null
165+++ b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
166@@ -0,0 +1,52 @@
167+Description: Do not keep swtpm pidfile around after stopping qemu vm
168+Author: Martin Kletzander <mkletzan@redhat.com>
169+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/3c2d06d78e1bd2d9298276b44a6ab09cc3b36e5a
170+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2111301
171+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1997269
172+Last-Update: 2022-11-21
173+---
174+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
175+--- a/src/qemu/qemu_tpm.c
176++++ b/src/qemu/qemu_tpm.c
177+@@ -793,28 +793,25 @@
178+ g_autofree char *pathname = NULL;
179+ g_autofree char *errbuf = NULL;
180+ g_autofree char *swtpm_ioctl = virTPMGetSwtpmIoctl();
181++ g_autofree char *pidfile = qemuTPMEmulatorPidFileBuildPath(swtpmStateDir,
182++ shortName);
183+
184+- if (!swtpm_ioctl)
185+- return;
186++ if (swtpm_ioctl &&
187++ (pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)) &&
188++ virFileExists(pathname)) {
189+
190+- if (!(pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)))
191+- return;
192++ cmd = virCommandNewArgList(swtpm_ioctl, "--unix", pathname, "-s", NULL);
193+
194+- if (!virFileExists(pathname))
195+- return;
196++ virCommandSetErrorBuffer(cmd, &errbuf);
197+
198+- cmd = virCommandNew(swtpm_ioctl);
199+- if (!cmd)
200+- return;
201++ ignore_value(virCommandRun(cmd, NULL));
202+
203+- virCommandAddArgList(cmd, "--unix", pathname, "-s", NULL);
204++ /* clean up the socket */
205++ unlink(pathname);
206++ }
207+
208+- virCommandSetErrorBuffer(cmd, &errbuf);
209+-
210+- ignore_value(virCommandRun(cmd, NULL));
211+-
212+- /* clean up the socket */
213+- unlink(pathname);
214++ if (pidfile)
215++ virPidFileForceCleanupPath(pidfile);
216+ }
217+
218+

Subscribers

People subscribed via source and target branches