Activity log for bug #1993304

Date Who What changed Old value New value Message
2022-10-18 13:55:38 Jelle van der Waa bug added bug
2022-10-19 07:03:39 Christian Ehrhardt  libvirt (Ubuntu): status New Incomplete
2022-10-20 06:27:24 Christian Ehrhardt  bug added subscriber Ubuntu Server
2022-10-21 09:19:15 Christian Ehrhardt  tags server-todo
2022-11-17 08:42:53 Christian Ehrhardt  libvirt (Ubuntu): status Incomplete Confirmed
2022-11-17 08:43:00 Christian Ehrhardt  tags server-todo libvirt-23.04 server-todo
2022-11-17 08:43:06 Christian Ehrhardt  nominated for series Ubuntu Jammy
2022-11-17 08:43:06 Christian Ehrhardt  bug task added libvirt (Ubuntu Jammy)
2022-11-17 08:43:06 Christian Ehrhardt  nominated for series Ubuntu Kinetic
2022-11-17 08:43:06 Christian Ehrhardt  bug task added libvirt (Ubuntu Kinetic)
2022-11-17 08:46:42 Christian Ehrhardt  libvirt (Ubuntu Jammy): status New Triaged
2022-11-17 08:46:44 Christian Ehrhardt  libvirt (Ubuntu Kinetic): status New Triaged
2022-11-17 08:47:24 Christian Ehrhardt  libvirt (Ubuntu): assignee Christian Ehrhardt  (paelzer)
2022-11-22 09:42:18 Christian Ehrhardt  description Start a VM and attach an usb host device: virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml Contents of the file: <hostdev mode='subsystem' type='usb'> <source> <vendor id='0x1d6b'/> <product id='0x0001'/> </source> </hostdev> audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain. /sys/bus/usb/devices r, /sys/bus/usb/devices/ r, /sys/bus/usb/devices/* r, [ Impact ] * Never code makes qemu+libs access a directory that only contains symlinks. Usually apparmor ignores that as the target of the link matters. But the new code fetches attributes of the links and then the link path (not the target) matters. Due to that users see apparmor denials and might even have issues using their USB to guest forwarding * The access to those links is considered save and a rule to allow that was brought upstream. These SRU uploads will fix the same in Ubuntu back to Jammy and later [ Test Plan ] * Set up a VM on a Host * Define a USB hostdev as shown below (or click one together in virt manager if you prefer that) * Attach that device to the guest (also shown below in the initial report) * Check if the attach worked and if no apparmor denials were reported [ Where problems could occur ] * This is opening up isolation (just a little bit) which is usually the safe direction and (so far) has not triggered regressions in the past. I can only think of people that might have done complex workarounds for the issue that - now that it works as intended - might see a change in behavior. But that is very unlikely, just mention it here as I consider it the most likely (albeit very unlikely) regression. [ Other Info ] * n/a ---- Start a VM and attach an usb host device: virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml Contents of the file: <hostdev mode='subsystem' type='usb'>   <source>     <vendor id='0x1d6b'/>     <product id='0x0001'/>   </source> </hostdev> audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.   /sys/bus/usb/devices r,   /sys/bus/usb/devices/ r,   /sys/bus/usb/devices/* r,
2022-11-22 10:24:16 Launchpad Janitor merge proposal linked https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433429
2022-11-22 14:57:17 Launchpad Janitor merge proposal linked https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433443
2022-11-22 15:01:16 Launchpad Janitor merge proposal linked https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/433444
2022-11-24 06:54:15 Christian Ehrhardt  libvirt (Ubuntu Jammy): assignee Christian Ehrhardt  (paelzer)
2022-11-24 06:54:17 Christian Ehrhardt  libvirt (Ubuntu Kinetic): assignee Christian Ehrhardt  (paelzer)
2022-11-24 07:18:47 Christian Ehrhardt  libvirt (Ubuntu): status Confirmed In Progress
2022-11-24 07:18:49 Christian Ehrhardt  libvirt (Ubuntu Jammy): status Triaged In Progress
2022-11-24 07:18:50 Christian Ehrhardt  libvirt (Ubuntu Kinetic): status Triaged In Progress
2022-11-29 02:36:24 Launchpad Janitor libvirt (Ubuntu): status In Progress Fix Released
2022-12-05 20:34:36 Brian Murray libvirt (Ubuntu Kinetic): status In Progress Fix Committed
2022-12-05 20:34:38 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2022-12-05 20:34:39 Brian Murray bug added subscriber SRU Verification
2022-12-05 20:34:43 Brian Murray tags libvirt-23.04 server-todo libvirt-23.04 server-todo verification-needed verification-needed-kinetic
2022-12-06 20:38:56 Brian Murray libvirt (Ubuntu Jammy): status In Progress Fix Committed
2022-12-06 20:39:01 Brian Murray tags libvirt-23.04 server-todo verification-needed verification-needed-kinetic libvirt-23.04 server-todo verification-needed verification-needed-jammy verification-needed-kinetic
2022-12-08 13:20:18 Andreas Hasenack description [ Impact ] * Never code makes qemu+libs access a directory that only contains symlinks. Usually apparmor ignores that as the target of the link matters. But the new code fetches attributes of the links and then the link path (not the target) matters. Due to that users see apparmor denials and might even have issues using their USB to guest forwarding * The access to those links is considered save and a rule to allow that was brought upstream. These SRU uploads will fix the same in Ubuntu back to Jammy and later [ Test Plan ] * Set up a VM on a Host * Define a USB hostdev as shown below (or click one together in virt manager if you prefer that) * Attach that device to the guest (also shown below in the initial report) * Check if the attach worked and if no apparmor denials were reported [ Where problems could occur ] * This is opening up isolation (just a little bit) which is usually the safe direction and (so far) has not triggered regressions in the past. I can only think of people that might have done complex workarounds for the issue that - now that it works as intended - might see a change in behavior. But that is very unlikely, just mention it here as I consider it the most likely (albeit very unlikely) regression. [ Other Info ] * n/a ---- Start a VM and attach an usb host device: virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml Contents of the file: <hostdev mode='subsystem' type='usb'>   <source>     <vendor id='0x1d6b'/>     <product id='0x0001'/>   </source> </hostdev> audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.   /sys/bus/usb/devices r,   /sys/bus/usb/devices/ r,   /sys/bus/usb/devices/* r, [ Impact ]  * Never code makes qemu+libs access a directory that only    contains symlinks. Usually apparmor ignores that as the    target of the link matters. But the new code fetches    attributes of the links and then the link path (not    the target) matters.    Due to that users see apparmor denials and might even    have issues using their USB to guest forwarding  * The access to those links is considered safe and a rule    to allow that was brought upstream. These SRU uploads    will fix the same in Ubuntu back to Jammy and later [ Test Plan ]  * Set up a VM on a Host  * Define a USB hostdev as shown below (or click one    together in virt manager if you prefer that)  * Attach that device to the guest (also shown below    in the initial report)  * Check if the attach worked and if no apparmor    denials were reported [ Where problems could occur ]  * This is opening up isolation (just a little bit) which    is usually the safe direction and (so far) has not    triggered regressions in the past.    I can only think of people that might have done complex    workarounds for the issue that - now that it works as    intended - might see a change in behavior. But that is    very unlikely, just mention it here as I consider it    the most likely (albeit very unlikely) regression. [ Other Info ]  * n/a ---- Start a VM and attach an usb host device: virsh attach-device --domain subVmTest1 --file /tmp/usbhostedxml Contents of the file: <hostdev mode='subsystem' type='usb'>   <source>     <vendor id='0x1d6b'/>     <product id='0x0001'/>   </source> </hostdev> audit: type=1400 audit(1666100716.885:298): apparmor="DENIED" operation="open" class="file" profile="libvirt-481c0a95-679a-487f-bbd4-f39761f9c982" name="/sys/bus/usb/devices/" pid=18217 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0 I've extended the apparmor profile (/etc/apparmor.d/abstractions/libvirt-qemu) for testing with two new lines, and now apparmor does not complain.   /sys/bus/usb/devices r,   /sys/bus/usb/devices/ r,   /sys/bus/usb/devices/* r,
2022-12-12 07:07:27 Christian Ehrhardt  tags libvirt-23.04 server-todo verification-needed verification-needed-jammy verification-needed-kinetic libvirt-23.04 server-todo verification-done-jammy verification-needed verification-needed-kinetic
2022-12-12 10:26:30 Christian Ehrhardt  tags libvirt-23.04 server-todo verification-done-jammy verification-needed verification-needed-kinetic libvirt-23.04 server-todo verification-done verification-done-jammy verification-done-kinetic
2023-01-03 21:18:34 Launchpad Janitor libvirt (Ubuntu Jammy): status Fix Committed Fix Released
2023-01-03 21:18:41 Brian Murray removed subscriber Ubuntu Stable Release Updates Team
2023-01-03 21:20:28 Launchpad Janitor libvirt (Ubuntu Kinetic): status Fix Committed Fix Released