virt-aa-helper: uncommon devices break starting a guest: input evdev, nvdimm, rng

Bug #1757085 reported by Christian Ehrhardt 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Adding the following two to the devices section of a guest makes it fail to start.

<memory model='nvdimm'>
  <source>
    <path>/var/lib/libvirt/qemu/nvdimm-base</path>
  </source>
  <target>
   <size unit='KiB'>524288</size>
   <node>0</node>
  </target>
</memory>

<input type='passthrough' bus='virtio'>
        <source evdev='/dev/input/event0' />
</input>

This is due to virt-aa-helper not adding their paths to the apparmor profile.
(Note that hot-add is covered via domain label callbacks that I currently implement - see bug 1755153).

summary: - virt-aa-helper: input evdev and nvdimm path in guest xml are not
- accessible
+ virt-aa-helper: uncommon devices break starting a guest: input evdev,
+ nvdimm, rng
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I was working on adding RNG support as well, but they actually are usually working.
/dev/random / urandom is in the apparmor base profile, more special paths are super-uncommon and therefore valid to be added by an admin.
For the EDG backend config is usually via UDP/IP so no path support needed either for the normal case.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

New code successfully creates this on start:
  "/dev/input/event0" rw,
  "/var/lib/libvirt/qemu/nvdimm-base" rw,

Changed in libvirt (Ubuntu):
status: New → In Progress
importance: Undecided → High
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tested successfully from ppa - submitted upstream as part of an AppArmor related series.
=> https://www.redhat.com/archives/libvir-list/2018-March/msg01171.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The fixes will get a respin, so I took this change out of the currently ongoing upload (to unblock it). I'll work on this one to be ready right after as much as possible.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Changes accepted upstream, preparing an upload and pushing it through regression tests before doing so.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

No regression triggered, uploading ...

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 4.0.0-1ubuntu7

---------------
libvirt (4.0.0-1ubuntu7) bionic; urgency=medium

  * Fix nvdimm memory and passthrough input devices for hotplug via
    domain security callbacks backporting upstream commits (LP: #1755153).
    - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-InputLabel.patch
    - d/p/ubuntu-aa/lp1755153-apparmor-add-Set-Restore-MemoryLabel.patch
  * Fix nvdimm memory and passthrough input devices in initial guest
    description via virt-aa-helper (LP: #1757085).
    - d/p/ubuntu-aa/lp1757085-virt-aa-helper-nvdimm-memory.patch
    - d/p/ubuntu-aa/lp1757085-virt-aa-helper-passthrough-input.patch

 -- Christian Ehrhardt <email address hidden> Wed, 21 Mar 2018 08:30:47 +0100

Changed in libvirt (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.