Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1989078-AAVMF-locking-FOCAL into ubuntu/+source/libvirt:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. lp-1989078-AAVMF-locking-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 0c5047a17ce8dc5109ad1d52b5ea56723467bca0
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1989078-AAVMF-locking-FOCAL
Merge into: ubuntu/+source/libvirt:ubuntu/focal-devel
Diff against target: 117 lines (+89/-0)
4 files modified
debian/changelog (+7/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch (+32/-0)
debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch (+48/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+435343@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA build: https://launchpad.net/~paelzer/+archive/ubuntu/lp-1989078-aavmf-locking

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Christian.

PPA build succeeded. I couldn't find autopkgtest results against the PPA so I took the liberty to schedule them. Please take a look.

Aside from a minor nit in the DEP-3 headers for the second patch, everything LGTM.

+1 assuming that the dep8 tests are OK.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Oh, the non-tests were intentional - the change has no coverage whatsoever in the tests that are defined. But anyway, it doesn't hurt either ... :-)

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-focal-paelzer-lp-1989078-aavmf-locking/?format=plain)
  libvirt @ amd64:
    10.01.23 23:26:09 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ arm64:
    10.01.23 23:05:40 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ armhf:
    10.01.23 22:04:42 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ ppc64el:
    10.01.23 23:03:26 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ s390x:
    10.01.23 23:31:16 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Added the dep-3 tag, I didn't think of it as it wasn't the trigger for this fix.
But you are right, why not be complete.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading libvirt_6.0.0-0ubuntu8.17.dsc
Uploading libvirt_6.0.0-0ubuntu8.17.debian.tar.xz
Uploading libvirt_6.0.0-0ubuntu8.17_source.buildinfo
Uploading libvirt_6.0.0-0ubuntu8.17_source.changes

Waiting for SRU team now ...

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, sergiodj
Uploaders: paelzer, sergiodj
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index babf99f..9b54d06 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libvirt (6.0.0-0ubuntu8.17) focal; urgency=medium
7+
8+ * d/p/u/lp-1989078-*.patch: allow arm64 to lock its OVMF/AAVMF resources
9+ (LP: #1989078)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 09 Jan 2023 08:48:16 +0100
12+
13 libvirt (6.0.0-0ubuntu8.16) focal-security; urgency=medium
14
15 * SECURITY UPDATE: crash via double-free memory issue
16diff --git a/debian/patches/series b/debian/patches/series
17index 2f69f69..c88916d 100644
18--- a/debian/patches/series
19+++ b/debian/patches/series
20@@ -186,3 +186,5 @@ CVE-2021-4147-5.patch
21 CVE-2021-4147-6pre1.patch
22 CVE-2021-4147-6.patch
23 CVE-2022-0897.patch
24+ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
25+ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
26diff --git a/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch b/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
27new file mode 100644
28index 0000000..8ee7a65
29--- /dev/null
30+++ b/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
31@@ -0,0 +1,32 @@
32+From 2b98d5d91d95087d8a96d6450fa96414ed05ba5c Mon Sep 17 00:00:00 2001
33+From: Andrea Bolognani <abologna@redhat.com>
34+Date: Mon, 23 May 2022 10:31:02 +0200
35+Subject: [PATCH] apparmor: Allow locking AAVMF firmware
36+
37+We already allow this for OVMF.
38+
39+Closes: https://gitlab.com/libvirt/libvirt/-/issues/312
40+Signed-off-by: Andrea Bolognani <abologna@redhat.com>
41+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
42+
43+X-Backport-Note: 07af71ad has not landed yet and since it sorted all entries
44+ there is some non-functional noise
45+Origin: backport, https://gitlab.com/libvirt/libvirt/-/commit/2b98d5d91
46+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1989078
47+Last-Update: 2023-01-09
48+
49+---
50+ src/security/apparmor/libvirt-qemu | 2 +-
51+ 1 file changed, 1 insertion(+), 1 deletion(-)
52+
53+--- a/src/security/apparmor/libvirt-qemu
54++++ b/src/security/apparmor/libvirt-qemu
55+@@ -91,7 +91,7 @@
56+ /usr/share/misc/sgabios.bin r,
57+ /usr/share/ovmf/** rk,
58+ /usr/share/OVMF/** rk,
59+- /usr/share/AAVMF/** r,
60++ /usr/share/AAVMF/** rk,
61+ /usr/share/qemu-efi/** r,
62+ /usr/share/slof/** r,
63+
64diff --git a/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch b/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
65new file mode 100644
66index 0000000..a6009c9
67--- /dev/null
68+++ b/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
69@@ -0,0 +1,48 @@
70+From 7aec69b7fb9d0cfe8b7203473764c205b28d2905 Mon Sep 17 00:00:00 2001
71+From: Martin Pitt <mpitt@debian.org>
72+Date: Fri, 25 Feb 2022 14:07:30 +0000
73+Subject: [PATCH] apparmor: Fix QEMU access for UEFI variable files
74+
75+QEMU needs to read, write, and lock the NVRAM *.fd files with UEFI
76+firmware.
77+
78+Fixes: https://bugs.debian.org/1006324
79+Fixes: https://launchpad.net/bugs/1962035
80+
81+Signed-off-by: Martin Pitt <mpitt@debian.org>
82+Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
83+
84+X-Backport-Note: 07af71ad has not landed yet and since it sorted all entries
85+ there is some non-functional noise
86+Origin: backport, https://gitlab.com/libvirt/libvirt/-/commit/7aec69b7f
87+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1989078
88+Bug-Debian: https://bugs.debian.org/1006324
89+Last-Update: 2023-01-09
90+
91+---
92+ src/security/apparmor/libvirt-qemu | 10 +++++++---
93+ 1 file changed, 7 insertions(+), 3 deletions(-)
94+
95+--- a/src/security/apparmor/libvirt-qemu
96++++ b/src/security/apparmor/libvirt-qemu
97+@@ -89,8 +89,8 @@
98+ /usr/share/vgabios/** r,
99+ /usr/share/seabios/** r,
100+ /usr/share/misc/sgabios.bin r,
101+- /usr/share/ovmf/** r,
102+- /usr/share/OVMF/** r,
103++ /usr/share/ovmf/** rk,
104++ /usr/share/OVMF/** rk,
105+ /usr/share/AAVMF/** r,
106+ /usr/share/qemu-efi/** r,
107+ /usr/share/slof/** r,
108+@@ -264,5 +264,9 @@
109+ / r, # harmless on any lsb compliant system
110+ /sys/bus/nd/devices/{,**/} r,
111+
112++ # required for QEMU accessing UEFI nvram variables
113++ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
114++ owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
115++
116+ # Site-specific additions and overrides. See local/README for details.
117+ #include <local/abstractions/libvirt-qemu>

Subscribers

People subscribed via source and target branches