virt-aa-helper: uncommon devices break starting a guest: input evdev, nvdimm, rng

Bug #1757085 reported by Christian Ehrhardt  on 2018-03-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
High
Unassigned

Bug Description

Adding the following two to the devices section of a guest makes it fail to start.

<memory model='nvdimm'>
  <source>
    <path>/var/lib/libvirt/qemu/nvdimm-base</path>
  </source>
  <target>
   <size unit='KiB'>524288</size>
   <node>0</node>
  </target>
</memory>

<input type='passthrough' bus='virtio'>
        <source evdev='/dev/input/event0' />
</input>

This is due to virt-aa-helper not adding their paths to the apparmor profile.
(Note that hot-add is covered via domain label callbacks that I currently implement - see bug 1755153).

summary: - virt-aa-helper: input evdev and nvdimm path in guest xml are not
- accessible
+ virt-aa-helper: uncommon devices break starting a guest: input evdev,
+ nvdimm, rng

I was working on adding RNG support as well, but they actually are usually working.
/dev/random / urandom is in the apparmor base profile, more special paths are super-uncommon and therefore valid to be added by an admin.
For the EDG backend config is usually via UDP/IP so no path support needed either for the normal case.

New code successfully creates this on start:
  "/dev/input/event0" rw,
  "/var/lib/libvirt/qemu/nvdimm-base" rw,

Changed in libvirt (Ubuntu):
status: New → In Progress
importance: Undecided → High

Tested successfully from ppa - submitted upstream as part of an AppArmor related series.
=> https://www.redhat.com/archives/libvir-list/2018-March/msg01171.html

The fixes will get a respin, so I took this change out of the currently ongoing upload (to unblock it). I'll work on this one to be ready right after as much as possible.

Changes accepted upstream, preparing an upload and pushing it through regression tests before doing so.

No regression triggered, uploading ...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 4.0.0-1ubuntu7

---------------
libvirt (4.0.0-1ubuntu7) bionic; urgency=medium

  * Fix nvdimm memory and passthrough input devices for hotplug via
    domain security callbacks backporting upstream commits (LP: #1755153).
    - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch
    - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch
  * Fix nvdimm memory and passthrough input devices in initial guest
    description via virt-aa-helper (LP: #1757085).
    - d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch
    - d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch

 -- Christian Ehrhardt <email address hidden> Wed, 21 Mar 2018 08:30:47 +0100

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers