Load of pre-upgrade qemu modules needs to avoid noexec
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qemu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Focal |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Christian Ehrhardt |
Bug Description
[Impact]
* An infrequent but annoying issue is QEMUs problem to not be able to
hot-add capabilities IF since starting the instance qemu has been
upgraded. This is due to qemu modules only working with exactly the
same build.
* The problem is that the path everyone (upstream+security) agreed
to put the files in is mounted noexec by default in Ubuntu preventing
to load the .so from there.
* In new versions this is solved via a .mount unit which is great for
transparency and control e.g. opt in/out of this. But for the SRU
after backporting the mount unit at first it was decided that a rather
simple "check and tmp-mount if needed" is more resilient, less complex
(mount unit handling by systemd/dh* is vastly different across
releases) and would have less regression risk for scenarios
were the admin has already made the path non noexec.
[Test Case]
I:
* $ apt install uvtool-libvirt
$ uvt-simplestrea
$ uvt-kvm create --password ubuntu lateload arch=amd64 release=bionic label=daily
cat > curldisk.xml << EOF
<disk type='network' device='disk'>
<driver name='qemu' type='raw'/>
<source protocol="http" name="ubuntu/
<host name="archive.
</source>
<target dev='vdc' bus='virtio'/>
<readonly/>
</disk>
EOF
# Here up or downgrade the installed packages, even a minor
# version or a rebuild of the same version
# Instead if you prefer (easier) you can run
$ sudo apt install --reinstall qemu-block-extra
Next check if they appeared (action of the maintainer scripts)
in the /var/run/
$ find /var/run/qemu/
$ findmnt /var/run/qemu/
# And then rm/mv the original .so files of qemu-block-extra
sudo mv /usr/lib/
# Trying to load a .so now would after an upgrade fail as the old qemu can't load the build id
Without the fix this will now fail some way, e.g. on Focal with:
$ virsh attach-device lateload curldisk.xml
Reported issue happens on attach:
root@b:~# virsh attach-device lateload cdrom-curl.xml
error: Failed to attach device from curldisk.xml
error: internal error: unable to execute QEMU command 'blockdev-add': Unknown driver 'http'
That attach should work on >Focal and also one can also check files mapped into a process and we should see the /var/run/.. path being used now.
$ sudo cat /proc/$(pidof qemu-system-
The original file path:
7f619941b000-
But since we moved that way before being loaded it should point to /run/qemu/... this time.
II:
* As it had issues in the first iteration of the fix worth a try
This sub-test is only in Focal and Hirsute, was not present in Bionic.
This should have preference over the other dirs (usual load as well as fallback path), therefore we do NOT remove the usual paths and check if it works, we keep them but check the loaded binary.
TL;DR Copy the .so to another place and load it from there:
$ sudo cp /usr/lib/
$ QEMU_MODULE_
# Then in other console check if it loaded that
$ $ sudo cat /proc/$(pidof qemu-system-
7f3ef7dc1000-
7f3efa729000-
We see the qemu block lib from the wanted path and other libs from the system as usual.
III:
remount /run with exec, we want to see that it does NOT create a new mountpoint in this case:
$ sudo mount -o remount,exec /run
$ findmnt -T /var/run
TARGET SOURCE FSTYPE OPTIONS
/run tmpfs tmpfs rw,nosuid,
Then upgrade and recheck
$ find /var/run/qemu/; findmnt -T /var/run/qemu
/var/run/qemu/
/var/run/
/var/run/
/var/run/
/var/run/
/var/run/
/var/run/
/var/run/qemu/exec
TARGET SOURCE FSTYPE OPTIONS
/run tmpfs tmpfs rw,nosuid,
Important is that in this case it is still /run and not /run/qemu
[Regression Potential]
Via extensive discussion we tried to find the least regression-risk way
but still the most likely regression would be where administrators have
taken means to modify/prepare /run/qemu themselves which might now collide.
[Other Info]
In Focal there were a few more (effectively no-op) mistakes which are cleaned up by this as well. It did save gui modules (not present in bionic, not wrong in hirsute) that can not be late loaded, so there is no point in saving them. Furthermore it had (bad patch match) enabled the feature on the qemu-system-x86-xen builds which have no use-case for this.
---
This is a continuation of bug 1847361.
Since that is in Ubuntu and Debian we are:
- correctly saving the modules to those paths in /var/run/qemu.
- qemu tries to load from that path as fallback
- that works fine in containers running qemu/kvm
But there is an issue on non-container systems as /run usually is like this:
tmpfs on /run type tmpfs (rw,nosuid,
The important bit here is the "noexec" which is intentional (for security reasons), but prevents the loading of shared objects from that path.
The path is good for many reasons (it is auto-cleaned, upstream and Distros agreed to this one path, ...). Moving it to other places also quite likely might have unpredictable options.
In a discussion between Victor (thanks for all the pushign and inpot on this) and Marc (security POV) we have come to a solution that will make just the subpath that is owned by qemu to not have noexec set.
This bug shall track preparing this fix for Debian / Ubuntu and the latter SRu considerations on the same.
Related branches
- Utkarsh Gupta (community): Approve
- Dan Streetman (community): Abstain
- Ubuntu Stable Release Updates Team: Pending requested
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 77 lines (+30/-6)2 files modifieddebian/changelog (+10/-0)
debian/rules (+20/-6)
- Utkarsh Gupta (community): Approve
- Dan Streetman (community): Abstain
- Ubuntu Stable Release Updates Team: Pending requested
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 62 lines (+26/-1)3 files modifieddebian/changelog (+10/-0)
debian/qemu-block-extra.postrm.in (+8/-1)
debian/qemu-block-extra.prerm.in (+8/-0)
- Utkarsh Gupta (community): Approve
- Dan Streetman (community): Abstain
- Ubuntu Stable Release Updates Team: Pending requested
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 177 lines (+27/-48)5 files modifieddebian/changelog (+12/-0)
debian/qemu-block-extra.postrm.in (+6/-1)
debian/qemu-block-extra.prerm.in (+8/-0)
debian/rules (+1/-1)
dev/null (+0/-46)
- Christian Ehrhardt (community): Disapprove
-
Diff: 323 lines (+226/-9)8 files modifieddebian/patches/lp1913421-keep-old-package-block-modules-in-usr-lib-dir-and-us.patch (+25/-0)
debian/patches/series (+1/-0)
debian/qemu-block-extra.postrm (+45/-0)
debian/qemu-block-extra.prerm (+47/-0)
debian/qemu-system-common.postrm (+43/-0)
debian/qemu-system-gui.postrm (+46/-0)
debian/qemu-system-gui.prerm (+12/-1)
debian/rules (+7/-8)
- Dan Streetman (community): Disapprove
- Victor Tapia (community): Needs Fixing
- Sergio Durigan Junior (community): Needs Fixing
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 110 lines (+55/-2)4 files modifieddebian/changelog (+14/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1913421-keep-old-package-block-modules-in-usr-lib-dir.patch (+31/-0)
debian/rules (+9/-2)
CVE References
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in qemu (Ubuntu Bionic): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in qemu (Ubuntu Focal): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in qemu (Ubuntu Hirsute): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Status changed to 'Confirmed' because the bug affects multiple users.