1
diff --git a/debian/changelog b/debian/changelog
2
index 22a9983..30e4904 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,18 @@
6
1
libvirt (8.6.0-0ubuntu4) lunar; urgency=medium
7
2
8
3
  [ Lena Voytek ]
9
4
  * d/p/u/fix-swtpm-pid-duplication.patch: Clean up swtpm pids after a vm
10
5
    shuts down (LP: #1997269)
11
6
12
7
  [Christian Ehrhardt ]
13
8
  * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
14
9
    apparmor denials on USB forwarding (LP: #1993304)
15
10
  * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
16
11
    tolerate the impact of too large udev data avoiding a busy loop
17
12
    (LP: #1996176)
18
13
19
14
 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 22 Nov 2022 11:21:30 +0100
20
15
21
1
libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium
16
libvirt (8.6.0-0ubuntu3) kinetic; urgency=medium
22
2
17
23
3
  * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
18
  * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
24
diff --git a/debian/patches/series b/debian/patches/series
25
index c2f6adb..6b0c1f9 100644
26
--- a/debian/patches/series
27
+++ b/debian/patches/series
28
@@ -14,6 +14,7 @@ ubuntu/lp-1861125-ubuntu-models.patch
29
14
ubuntu/dnsmasq-as-priv-user
14
ubuntu/dnsmasq-as-priv-user
30
15
ubuntu/ovmf_paths.patch
15
ubuntu/ovmf_paths.patch
31
16
ubuntu/wait-for-qemu-kvm.patch
16
ubuntu/wait-for-qemu-kvm.patch
32
17
ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
33
17
18
34
18
# Ubuntu Apparmor Changes
19
# Ubuntu Apparmor Changes
35
19
ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
20
ubuntu-aa/0020-virt-aa-helper-ubuntu-storage-paths.patch
36
@@ -26,3 +27,5 @@ ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
37
26
ubuntu/swtpm-by-swtpm-user.patch
27
ubuntu/swtpm-by-swtpm-user.patch
38
27
ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
28
ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
39
28
ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch
29
ubuntu/lp-1990949-virpcivpd-reduce-errors-in-log-due-to-invalid-VPD.patch
40
30
ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
41
31
ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
42
diff --git a/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
43
29
new file mode 100644
32
new file mode 100644
44
index 0000000..ad62376
45
--- /dev/null
46
+++ b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
47
@@ -0,0 +1,49 @@
48
1
From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
49
2
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
50
3
Date: Thu, 17 Nov 2022 09:35:05 +0100
51
4
Subject: [PATCH] apparmor: allow getattr on usb devices
52
5
53
6
For the handling of usb we already allow plenty of read access,
54
7
but so far /sys/bus/usb/devices only needed read access to the directory
55
8
to enumerate the symlinks in there that point to the actual entries via
56
9
relative links to ../../../devices/.
57
10
58
11
But in more recent systemd with updated libraries a program might do
59
12
getattr calls on those symlinks. And while symlinks in apparmor usually
60
13
do not matter, as it is the effective target of an access that has to be
61
14
allowed, here the getattr calls are on the links themselves.
62
15
63
16
On USB hostdev usage that causes a set of denials like:
64
17
 apparmor="DENIED" operation="getattr" class="file"
65
18
 name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
66
19
 requested_mask="r" denied_mask="r" ...
67
20
68
21
It is safe to read the links, therefore add a rule to allow it to
69
22
the block of rules that covers the usb related access.
70
23
71
24
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
72
25
Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
73
26
74
27
Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
75
28
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
76
29
Last-Update: 2022-11-22
77
30
78
31
---
79
32
 src/security/apparmor/libvirt-qemu | 1 +
80
33
 1 file changed, 1 insertion(+)
81
34
82
35
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
83
36
index 02ee273e7e..d0289b8943 100644
84
37
--- a/src/security/apparmor/libvirt-qemu
85
38
+++ b/src/security/apparmor/libvirt-qemu
86
39
@@ -42,6 +42,7 @@
87
40
 
88
41
   # For hostdev access. The actual devices will be added dynamically
89
42
   /sys/bus/usb/devices/ r,
90
43
+  /sys/bus/usb/devices/* r,
91
44
   /sys/devices/**/usb[0-9]*/** r,
92
45
   # libusb needs udev data about usb devices (~equal to content of lsusb -v)
93
46
   /run/udev/data/+usb* r,
94
47
-- 
95
48
2.38.1
96
49
97
diff --git a/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
98
0
new file mode 100644
50
new file mode 100644
99
index 0000000..16a3e9c
100
--- /dev/null
101
+++ b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
102
@@ -0,0 +1,58 @@
103
1
From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
104
2
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
105
3
Date: Thu, 10 Nov 2022 10:36:28 +0100
106
4
Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
107
5
MIME-Version: 1.0
108
6
Content-Type: text/plain; charset=UTF-8
109
7
Content-Transfer-Encoding: 8bit
110
8
111
9
Certain udev entries might be of a size that makes libudev emit EINVAL
112
10
which right now leads to udevEventHandleThread exiting. Due to no more
113
11
handling events other elements of libvirt will start pushing for events
114
12
to be consumed which never happens causing a busy loop burning a cpu
115
13
without any gain.
116
14
117
15
After evaluation of the example case discussed in in #245 and a test
118
16
run ignoring EINVAL it was considered safe to add EINVAL to the ignored
119
17
errnos to not exit udevEventHandleThread giving it more resilience.
120
18
121
19
The root cause is in systemd and by now was discussed and fixed via
122
20
https://github.com/systemd/systemd/issues/24987, but hardening libvirt
123
21
to be able to better deal with EINVAL returned still is the right thing
124
22
to avoid the reported busy loops on systemd with older systemd versions.
125
23
126
24
Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
127
25
128
26
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
129
27
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
130
28
131
29
Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
132
30
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
133
31
Last-Update: 2022-11-22
134
32
135
33
---
136
34
 src/node_device/node_device_udev.c | 6 ++++--
137
35
 1 file changed, 4 insertions(+), 2 deletions(-)
138
36
139
37
diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
140
38
index 24ef1c25a9..2454cab8f8 100644
141
39
--- a/src/node_device/node_device_udev.c
142
40
+++ b/src/node_device/node_device_udev.c
143
41
@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
144
42
             }
145
43
 
146
44
             /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
147
45
-             * interchangeably when the read would block or timeout was fired
148
46
+             * interchangeably when the read would block or timeout was fired.
149
47
+             * EINVAL might happen on too large udev entries, ignore those for
150
48
+             * the robustness of udevEventHandleThread.
151
49
              */
152
50
             VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
153
51
-            if (errno != EAGAIN && errno != EWOULDBLOCK) {
154
52
+            if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
155
53
             VIR_WARNINGS_RESET
156
54
                 virReportSystemError(errno, "%s",
157
55
                                      _("failed to receive device from udev "
158
56
-- 
159
57
2.38.1
160
58
161
diff --git a/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
162
0
new file mode 100644
59
new file mode 100644
163
index 0000000..ac4dfc9
164
--- /dev/null
165
+++ b/debian/patches/ubuntu/lp-1997269-fix-swtpm-pid-duplication.patch
166
@@ -0,0 +1,52 @@
167
1
Description: Do not keep swtpm pidfile around after stopping qemu vm
168
2
Author: Martin Kletzander <mkletzan@redhat.com>
169
3
Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/3c2d06d78e1bd2d9298276b44a6ab09cc3b36e5a
170
4
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2111301
171
5
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1997269
172
6
Last-Update: 2022-11-21
173
7
---
174
8
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
175
9
--- a/src/qemu/qemu_tpm.c
176
10
+++ b/src/qemu/qemu_tpm.c
177
11
@@ -793,28 +793,25 @@
178
12
     g_autofree char *pathname = NULL;
179
13
     g_autofree char *errbuf = NULL;
180
14
     g_autofree char *swtpm_ioctl = virTPMGetSwtpmIoctl();
181
15
+    g_autofree char *pidfile = qemuTPMEmulatorPidFileBuildPath(swtpmStateDir,
182
16
+        shortName);
183
17
 
184
18
-    if (!swtpm_ioctl)
185
19
-        return;
186
20
+    if (swtpm_ioctl &&
187
21
+        (pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)) &&
188
22
+        virFileExists(pathname)) {
189
23
 
190
24
-    if (!(pathname = qemuTPMEmulatorSocketBuildPath(swtpmStateDir, shortName)))
191
25
-        return;
192
26
+        cmd = virCommandNewArgList(swtpm_ioctl, "--unix", pathname, "-s", NULL);
193
27
 
194
28
-    if (!virFileExists(pathname))
195
29
-        return;
196
30
+        virCommandSetErrorBuffer(cmd, &errbuf);
197
31
 
198
32
-    cmd = virCommandNew(swtpm_ioctl);
199
33
-    if (!cmd)
200
34
-        return;
201
35
+        ignore_value(virCommandRun(cmd, NULL));
202
36
 
203
37
-    virCommandAddArgList(cmd, "--unix", pathname, "-s", NULL);
204
38
+        /* clean up the socket */
205
39
+        unlink(pathname);
206
40
+    }
207
41
 
208
42
-    virCommandSetErrorBuffer(cmd, &errbuf);
209
43
-
210
44
-    ignore_value(virCommandRun(cmd, NULL));
211
45
-
212
46
-    /* clean up the socket */
213
47
-    unlink(pathname);
214
48
+    if (pidfile)
215
49
+        virPidFileForceCleanupPath(pidfile);
216
50
 }
217
51
 
218
52
Reviewer	Date Requested	Status
Christian Ehrhardt  (community)		Approve on 2022-11-22
Canonical Server Reporter	2022-11-22	Pending
git-ubuntu import	2022-11-22	Pending
Review via email: mp+433429@code.launchpad.net