Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-JAMMY into ubuntu/+source/libvirt:ubuntu/jammy-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. fix-pid-duplication-and-more-1997269-1993304-1996176-JAMMY
  4. Merge into ubuntu/jammy-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 05283298becd84b21615054ad3cb6fc3b19fea87
Proposed branch: ~paelzer/ubuntu/+source/libvirt:fix-pid-duplication-and-more-1997269-1993304-1996176-JAMMY
Merge into: ubuntu/+source/libvirt:ubuntu/jammy-devel
Diff against target: 147 lines (+119/-0)
4 files modified
debian/changelog (+10/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch (+49/-0)
debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch (+58/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lena Voytek (community) Approve
Canonical Server Reporter Pending
Canonical Server packageset reviewers Pending
Review via email: mp+433444@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~paelzer/+archive/ubuntu/libvirt-1997269-1993304-1996176/+packages

Revision history for this message
Lena Voytek (lvoytek) wrote :

Both patches here look good to me and match the Kinetic mp

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, lvoytek
Uploaders: paelzer
MP auto-approved

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks, both PPA builds are fine as well (no FTBFS there as in lunar, as that was due to new libxen which isn't hitting the older releases).

Uploading ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading libvirt_8.0.0-1ubuntu7.4.dsc
Uploading libvirt_8.0.0-1ubuntu7.4.debian.tar.xz
Uploading libvirt_8.0.0-1ubuntu7.4_source.buildinfo
Uploading libvirt_8.0.0-1ubuntu7.4_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 7b0c2a2..0ddbc1b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+libvirt (8.0.0-1ubuntu7.4) jammy; urgency=medium
7+
8+ * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
9+ apparmor denials on USB forwarding (LP: #1993304)
10+ * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
11+ tolerate the impact of too large udev data avoiding a busy loop
12+ (LP: #1996176)
13+
14+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Nov 2022 15:59:28 +0100
15+
16 libvirt (8.0.0-1ubuntu7.3) jammy; urgency=medium
17
18 * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
19diff --git a/debian/patches/series b/debian/patches/series
20index e89d1a5..53cdc04 100644
21--- a/debian/patches/series
22+++ b/debian/patches/series
23@@ -35,3 +35,5 @@ ubuntu-aa/0035-apparmor-separate-swtpm-rules.patch
24 ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch
25 ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
26 ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
27+ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
28+ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
29diff --git a/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
30new file mode 100644
31index 0000000..ad62376
32--- /dev/null
33+++ b/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
34@@ -0,0 +1,49 @@
35+From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
36+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
37+Date: Thu, 17 Nov 2022 09:35:05 +0100
38+Subject: [PATCH] apparmor: allow getattr on usb devices
39+
40+For the handling of usb we already allow plenty of read access,
41+but so far /sys/bus/usb/devices only needed read access to the directory
42+to enumerate the symlinks in there that point to the actual entries via
43+relative links to ../../../devices/.
44+
45+But in more recent systemd with updated libraries a program might do
46+getattr calls on those symlinks. And while symlinks in apparmor usually
47+do not matter, as it is the effective target of an access that has to be
48+allowed, here the getattr calls are on the links themselves.
49+
50+On USB hostdev usage that causes a set of denials like:
51+ apparmor="DENIED" operation="getattr" class="file"
52+ name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
53+ requested_mask="r" denied_mask="r" ...
54+
55+It is safe to read the links, therefore add a rule to allow it to
56+the block of rules that covers the usb related access.
57+
58+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
59+Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
60+
61+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
62+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
63+Last-Update: 2022-11-22
64+
65+---
66+ src/security/apparmor/libvirt-qemu | 1 +
67+ 1 file changed, 1 insertion(+)
68+
69+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
70+index 02ee273e7e..d0289b8943 100644
71+--- a/src/security/apparmor/libvirt-qemu
72++++ b/src/security/apparmor/libvirt-qemu
73+@@ -42,6 +42,7 @@
74+
75+ # For hostdev access. The actual devices will be added dynamically
76+ /sys/bus/usb/devices/ r,
77++ /sys/bus/usb/devices/* r,
78+ /sys/devices/**/usb[0-9]*/** r,
79+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
80+ /run/udev/data/+usb* r,
81+--
82+2.38.1
83+
84diff --git a/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
85new file mode 100644
86index 0000000..16a3e9c
87--- /dev/null
88+++ b/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
89@@ -0,0 +1,58 @@
90+From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
91+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
92+Date: Thu, 10 Nov 2022 10:36:28 +0100
93+Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
94+MIME-Version: 1.0
95+Content-Type: text/plain; charset=UTF-8
96+Content-Transfer-Encoding: 8bit
97+
98+Certain udev entries might be of a size that makes libudev emit EINVAL
99+which right now leads to udevEventHandleThread exiting. Due to no more
100+handling events other elements of libvirt will start pushing for events
101+to be consumed which never happens causing a busy loop burning a cpu
102+without any gain.
103+
104+After evaluation of the example case discussed in in #245 and a test
105+run ignoring EINVAL it was considered safe to add EINVAL to the ignored
106+errnos to not exit udevEventHandleThread giving it more resilience.
107+
108+The root cause is in systemd and by now was discussed and fixed via
109+https://github.com/systemd/systemd/issues/24987, but hardening libvirt
110+to be able to better deal with EINVAL returned still is the right thing
111+to avoid the reported busy loops on systemd with older systemd versions.
112+
113+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
114+
115+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
116+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
117+
118+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
119+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
120+Last-Update: 2022-11-22
121+
122+---
123+ src/node_device/node_device_udev.c | 6 ++++--
124+ 1 file changed, 4 insertions(+), 2 deletions(-)
125+
126+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
127+index 24ef1c25a9..2454cab8f8 100644
128+--- a/src/node_device/node_device_udev.c
129++++ b/src/node_device/node_device_udev.c
130+@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
131+ }
132+
133+ /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
134+- * interchangeably when the read would block or timeout was fired
135++ * interchangeably when the read would block or timeout was fired.
136++ * EINVAL might happen on too large udev entries, ignore those for
137++ * the robustness of udevEventHandleThread.
138+ */
139+ VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
140+- if (errno != EAGAIN && errno != EWOULDBLOCK) {
141++ if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
142+ VIR_WARNINGS_RESET
143+ virReportSystemError(errno, "%s",
144+ _("failed to receive device from udev "
145+--
146+2.38.1
147+

Subscribers

People subscribed via source and target branches