Ubuntu
libvirt package

Merge ~paelzer/ubuntu/+source/libvirt:lp-1989078-AAVMF-locking-FOCAL into ubuntu/+source/libvirt:ubuntu/focal-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libvirt
  3. lp-1989078-AAVMF-locking-FOCAL
  4. Merge into ubuntu/focal-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 0c5047a17ce8dc5109ad1d52b5ea56723467bca0
Proposed branch: ~paelzer/ubuntu/+source/libvirt:lp-1989078-AAVMF-locking-FOCAL
Merge into: ubuntu/+source/libvirt:ubuntu/focal-devel
Diff against target: 117 lines (+89/-0)
4 files modified
debian/changelog (+7/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch (+32/-0)
debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch (+48/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+435343@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA build: https://launchpad.net/~paelzer/+archive/ubuntu/lp-1989078-aavmf-locking

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Christian.

PPA build succeeded. I couldn't find autopkgtest results against the PPA so I took the liberty to schedule them. Please take a look.

Aside from a minor nit in the DEP-3 headers for the second patch, everything LGTM.

+1 assuming that the dep8 tests are OK.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Oh, the non-tests were intentional - the change has no coverage whatsoever in the tests that are defined. But anyway, it doesn't hurt either ... :-)

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-focal-paelzer-lp-1989078-aavmf-locking/?format=plain)
  libvirt @ amd64:
    10.01.23 23:26:09 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ arm64:
    10.01.23 23:05:40 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ armhf:
    10.01.23 22:04:42 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ ppc64el:
    10.01.23 23:03:26 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1
  libvirt @ s390x:
    10.01.23 23:31:16 Log 🗒️ ✅ Triggers: libvirt/6.0.0-0ubuntu8.17~focalppa1

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Added the dep-3 tag, I didn't think of it as it wasn't the trigger for this fix.
But you are right, why not be complete.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading libvirt_6.0.0-0ubuntu8.17.dsc
Uploading libvirt_6.0.0-0ubuntu8.17.debian.tar.xz
Uploading libvirt_6.0.0-0ubuntu8.17_source.buildinfo
Uploading libvirt_6.0.0-0ubuntu8.17_source.changes

Waiting for SRU team now ...

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: paelzer, sergiodj
Uploaders: paelzer, sergiodj
MP auto-approved

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index babf99f..9b54d06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1libvirt (6.0.0-0ubuntu8.17) focal; urgency=medium
2
3 * d/p/u/lp-1989078-*.patch: allow arm64 to lock its OVMF/AAVMF resources
4 (LP: #1989078)
5
6 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 09 Jan 2023 08:48:16 +0100
7
1libvirt (6.0.0-0ubuntu8.16) focal-security; urgency=medium8libvirt (6.0.0-0ubuntu8.16) focal-security; urgency=medium
29
3 * SECURITY UPDATE: crash via double-free memory issue10 * SECURITY UPDATE: crash via double-free memory issue
diff --git a/debian/patches/series b/debian/patches/series
index 2f69f69..c88916d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -186,3 +186,5 @@ CVE-2021-4147-5.patch
186CVE-2021-4147-6pre1.patch186CVE-2021-4147-6pre1.patch
187CVE-2021-4147-6.patch187CVE-2021-4147-6.patch
188CVE-2022-0897.patch188CVE-2022-0897.patch
189ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
190ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
diff --git a/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch b/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
189new file mode 100644191new file mode 100644
index 0000000..8ee7a65
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
@@ -0,0 +1,32 @@
1From 2b98d5d91d95087d8a96d6450fa96414ed05ba5c Mon Sep 17 00:00:00 2001
2From: Andrea Bolognani <abologna@redhat.com>
3Date: Mon, 23 May 2022 10:31:02 +0200
4Subject: [PATCH] apparmor: Allow locking AAVMF firmware
5
6We already allow this for OVMF.
7
8Closes: https://gitlab.com/libvirt/libvirt/-/issues/312
9Signed-off-by: Andrea Bolognani <abologna@redhat.com>
10Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
11
12X-Backport-Note: 07af71ad has not landed yet and since it sorted all entries
13 there is some non-functional noise
14Origin: backport, https://gitlab.com/libvirt/libvirt/-/commit/2b98d5d91
15Bug-Ubuntu: https://bugs.launchpad.net/bugs/1989078
16Last-Update: 2023-01-09
17
18---
19 src/security/apparmor/libvirt-qemu | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22--- a/src/security/apparmor/libvirt-qemu
23+++ b/src/security/apparmor/libvirt-qemu
24@@ -91,7 +91,7 @@
25 /usr/share/misc/sgabios.bin r,
26 /usr/share/ovmf/** rk,
27 /usr/share/OVMF/** rk,
28- /usr/share/AAVMF/** r,
29+ /usr/share/AAVMF/** rk,
30 /usr/share/qemu-efi/** r,
31 /usr/share/slof/** r,
32
diff --git a/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch b/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
0new file mode 10064433new file mode 100644
index 0000000..a6009c9
--- /dev/null
+++ b/debian/patches/ubuntu/lp-1989078-apparmor-Fix-QEMU-access-for-UEFI-variable-files.patch
@@ -0,0 +1,48 @@
1From 7aec69b7fb9d0cfe8b7203473764c205b28d2905 Mon Sep 17 00:00:00 2001
2From: Martin Pitt <mpitt@debian.org>
3Date: Fri, 25 Feb 2022 14:07:30 +0000
4Subject: [PATCH] apparmor: Fix QEMU access for UEFI variable files
5
6QEMU needs to read, write, and lock the NVRAM *.fd files with UEFI
7firmware.
8
9Fixes: https://bugs.debian.org/1006324
10Fixes: https://launchpad.net/bugs/1962035
11
12Signed-off-by: Martin Pitt <mpitt@debian.org>
13Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
14
15X-Backport-Note: 07af71ad has not landed yet and since it sorted all entries
16 there is some non-functional noise
17Origin: backport, https://gitlab.com/libvirt/libvirt/-/commit/7aec69b7f
18Bug-Ubuntu: https://bugs.launchpad.net/bugs/1989078
19Bug-Debian: https://bugs.debian.org/1006324
20Last-Update: 2023-01-09
21
22---
23 src/security/apparmor/libvirt-qemu | 10 +++++++---
24 1 file changed, 7 insertions(+), 3 deletions(-)
25
26--- a/src/security/apparmor/libvirt-qemu
27+++ b/src/security/apparmor/libvirt-qemu
28@@ -89,8 +89,8 @@
29 /usr/share/vgabios/** r,
30 /usr/share/seabios/** r,
31 /usr/share/misc/sgabios.bin r,
32- /usr/share/ovmf/** r,
33- /usr/share/OVMF/** r,
34+ /usr/share/ovmf/** rk,
35+ /usr/share/OVMF/** rk,
36 /usr/share/AAVMF/** r,
37 /usr/share/qemu-efi/** r,
38 /usr/share/slof/** r,
39@@ -264,5 +264,9 @@
40 / r, # harmless on any lsb compliant system
41 /sys/bus/nd/devices/{,**/} r,
42
43+ # required for QEMU accessing UEFI nvram variables
44+ owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
45+ owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
46+
47 # Site-specific additions and overrides. See local/README for details.
48 #include <local/abstractions/libvirt-qemu>

Subscribers

People subscribed via source and target branches