| 2022-10-18 13:55:38 |
Jelle van der Waa |
bug |
|
|
added bug |
| 2022-10-19 07:03:39 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
New |
Incomplete |
|
| 2022-10-20 06:27:24 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
| 2022-10-21 09:19:15 |
Christian Ehrhardt |
tags |
|
server-todo |
|
| 2022-11-17 08:42:53 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2022-11-17 08:43:00 |
Christian Ehrhardt |
tags |
server-todo |
libvirt-23.04 server-todo |
|
| 2022-11-17 08:43:06 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-11-17 08:43:06 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Jammy) |
|
| 2022-11-17 08:43:06 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-11-17 08:43:06 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Kinetic) |
|
| 2022-11-17 08:46:42 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): status |
New |
Triaged |
|
| 2022-11-17 08:46:44 |
Christian Ehrhardt |
libvirt (Ubuntu Kinetic): status |
New |
Triaged |
|
| 2022-11-17 08:47:24 |
Christian Ehrhardt |
libvirt (Ubuntu): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-11-22 09:42:18 |
Christian Ehrhardt |
description |
Start a VM and attach an usb host device:
virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml
Contents of the file:
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x1d6b'/>
<product id='0x0001'/>
</source>
</hostdev>
audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.
/sys/bus/usb/devices r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/* r, |
[ Impact ]
* Never code makes qemu+libs access a directory that only
contains symlinks. Usually apparmor ignores that as the
target of the link matters. But the new code fetches
attributes of the links and then the link path (not
the target) matters.
Due to that users see apparmor denials and might even
have issues using their USB to guest forwarding
* The access to those links is considered save and a rule
to allow that was brought upstream. These SRU uploads
will fix the same in Ubuntu back to Jammy and later
[ Test Plan ]
* Set up a VM on a Host
* Define a USB hostdev as shown below (or click one
together in virt manager if you prefer that)
* Attach that device to the guest (also shown below
in the initial report)
* Check if the attach worked and if no apparmor
denials were reported
[ Where problems could occur ]
* This is opening up isolation (just a little bit) which
is usually the safe direction and (so far) has not
triggered regressions in the past.
I can only think of people that might have done complex
workarounds for the issue that - now that it works as
intended - might see a change in behavior. But that is
very unlikely, just mention it here as I consider it
the most likely (albeit very unlikely) regression.
[ Other Info ]
* n/a
----
Start a VM and attach an usb host device:
virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml
Contents of the file:
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x1d6b'/>
<product id='0x0001'/>
</source>
</hostdev>
audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.
/sys/bus/usb/devices r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/* r, |
|
| 2022-11-22 10:24:16 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433429 |
|
| 2022-11-22 14:57:17 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433443 |
|
| 2022-11-22 15:01:16 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433444 |
|
| 2022-11-24 06:54:15 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-11-24 06:54:17 |
Christian Ehrhardt |
libvirt (Ubuntu Kinetic): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-11-24 07:18:47 |
Christian Ehrhardt |
libvirt (Ubuntu): status |
Confirmed |
In Progress |
|
| 2022-11-24 07:18:49 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): status |
Triaged |
In Progress |
|
| 2022-11-24 07:18:50 |
Christian Ehrhardt |
libvirt (Ubuntu Kinetic): status |
Triaged |
In Progress |
|
| 2022-11-29 02:36:24 |
Launchpad Janitor |
libvirt (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-12-05 20:34:36 |
Brian Murray |
libvirt (Ubuntu Kinetic): status |
In Progress |
Fix Committed |
|
| 2022-12-05 20:34:38 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-12-05 20:34:39 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2022-12-05 20:34:43 |
Brian Murray |
tags |
libvirt-23.04 server-todo |
libvirt-23.04 server-todo verification-needed verification-needed-kinetic |
|
| 2022-12-06 20:38:56 |
Brian Murray |
libvirt (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2022-12-06 20:39:01 |
Brian Murray |
tags |
libvirt-23.04 server-todo verification-needed verification-needed-kinetic |
libvirt-23.04 server-todo verification-needed verification-needed-jammy verification-needed-kinetic |
|
| 2022-12-08 13:20:18 |
Andreas Hasenack |
description |
[ Impact ]
* Never code makes qemu+libs access a directory that only
contains symlinks. Usually apparmor ignores that as the
target of the link matters. But the new code fetches
attributes of the links and then the link path (not
the target) matters.
Due to that users see apparmor denials and might even
have issues using their USB to guest forwarding
* The access to those links is considered save and a rule
to allow that was brought upstream. These SRU uploads
will fix the same in Ubuntu back to Jammy and later
[ Test Plan ]
* Set up a VM on a Host
* Define a USB hostdev as shown below (or click one
together in virt manager if you prefer that)
* Attach that device to the guest (also shown below
in the initial report)
* Check if the attach worked and if no apparmor
denials were reported
[ Where problems could occur ]
* This is opening up isolation (just a little bit) which
is usually the safe direction and (so far) has not
triggered regressions in the past.
I can only think of people that might have done complex
workarounds for the issue that - now that it works as
intended - might see a change in behavior. But that is
very unlikely, just mention it here as I consider it
the most likely (albeit very unlikely) regression.
[ Other Info ]
* n/a
----
Start a VM and attach an usb host device:
virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml
Contents of the file:
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x1d6b'/>
<product id='0x0001'/>
</source>
</hostdev>
audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.
/sys/bus/usb/devices r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/* r, |
[ Impact ]
* Never code makes qemu+libs access a directory that only
contains symlinks. Usually apparmor ignores that as the
target of the link matters. But the new code fetches
attributes of the links and then the link path (not
the target) matters.
Due to that users see apparmor denials and might even
have issues using their USB to guest forwarding
* The access to those links is considered safe and a rule
to allow that was brought upstream. These SRU uploads
will fix the same in Ubuntu back to Jammy and later
[ Test Plan ]
* Set up a VM on a Host
* Define a USB hostdev as shown below (or click one
together in virt manager if you prefer that)
* Attach that device to the guest (also shown below
in the initial report)
* Check if the attach worked and if no apparmor
denials were reported
[ Where problems could occur ]
* This is opening up isolation (just a little bit) which
is usually the safe direction and (so far) has not
triggered regressions in the past.
I can only think of people that might have done complex
workarounds for the issue that - now that it works as
intended - might see a change in behavior. But that is
very unlikely, just mention it here as I consider it
the most likely (albeit very unlikely) regression.
[ Other Info ]
* n/a
----
Start a VM and attach an usb host device:
virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml
Contents of the file:
<hostdev mode='subsystem' type='usb'>
<source>
<vendor id='0x1d6b'/>
<product id='0x0001'/>
</source>
</hostdev>
audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.
/sys/bus/usb/devices r,
/sys/bus/usb/devices/ r,
/sys/bus/usb/devices/* r, |
|
| 2022-12-12 07:07:27 |
Christian Ehrhardt |
tags |
libvirt-23.04 server-todo verification-needed verification-needed-jammy verification-needed-kinetic |
libvirt-23.04 server-todo verification-done-jammy verification-needed verification-needed-kinetic |
|
| 2022-12-12 10:26:30 |
Christian Ehrhardt |
tags |
libvirt-23.04 server-todo verification-done-jammy verification-needed verification-needed-kinetic |
libvirt-23.04 server-todo verification-done verification-done-jammy verification-done-kinetic |
|
| 2023-01-03 21:18:34 |
Launchpad Janitor |
libvirt (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-01-03 21:18:41 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-01-03 21:20:28 |
Launchpad Janitor |
libvirt (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
