[Pkg-libvirt-maintainers] Bug#1077915: libvirt-daemon-system: update /etc/apparmor.d/usr.sbin.libvirtd because of move of qemu-bridge-helper

Olivier Gayot olivier.gayot at canonical.com
Fri Sep 6 11:48:41 BST 2024 

Package: libvirt
Version: 10.6.0-1
Followup-For: Bug #1077915
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu oracular ubuntu-patch
Control: tags -1 patch

Dear Maintainer,

Since we are past feature freeze in the development release of Ubuntu,
we will probably apply the following upstream patch:

https://gitlab.com/libvirt/libvirt/-/commit/0caacf47d7b423db9126660fb0382ed56cd077c1

which seems to address the issue when using the qemu-bridge-helper from
/usr/libexec/qemu.

In Ubuntu, the attached patch was applied to achieve the following:

  * Apply upstream patch to allow access to
    /usr/libexec/qemu/qemu-bridge-helper in apparmor profile (LP: #2079806)
    - d/p/ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch


Thanks for considering the patch.


-- System Information:
Debian Release: trixie/sid
  APT prefers oracular
  APT policy: (500, 'oracular')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-41-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru libvirt-10.6.0/debian/patches/series libvirt-10.6.0/debian/patches/series
--- libvirt-10.6.0/debian/patches/series	2024-08-12 21:14:48.000000000 +0200
+++ libvirt-10.6.0/debian/patches/series	2024-09-06 11:58:41.000000000 +0200
@@ -21,3 +21,4 @@
 ubuntu-aa/0033-UBUNTU-only-apparmor-for-kvm.powerpc-LP-1680384.patch
 ubuntu-aa/0034-apparmor-virt-aa-helper-access-for-snapped-nova.patch
 ubuntu-aa/lp-1815910-allow-vhost-hotplug.patch
+ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch
diff -Nru libvirt-10.6.0/debian/patches/ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch libvirt-10.6.0/debian/patches/ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch
--- libvirt-10.6.0/debian/patches/ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-10.6.0/debian/patches/ubuntu-aa/allow-more-paths-for-qemu-bridge-helper.patch	2024-09-06 11:54:42.000000000 +0200
@@ -0,0 +1,64 @@
+Description: Allow more paths for qemu-bridge-helper
+ The QEMU package in Debian has recently moved the
+ qemu-bridge-helper binary under /usr/libexec/qemu. Update the
+ AppArmor profile accordingly.
+ .
+ https://bugs.debian.org/1077915
+ .
+ Signed-off-by: Andrea Bolognani <abologna at redhat.com>
+ Reviewed-by: Jim Fehlig <jfehlig at suse.com>
+Author: Andrea Bolognani <abologna at redhat.com>
+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/0caacf47d7b423db9126660fb0382ed56cd077c1
+Bug-Debian: https://bugs.debian.org/1077915
+Bug-Ubuntu: https://launchpad.net/bugs/2079806
+Applied-Upstream: https://gitlab.com/libvirt/libvirt/-/commit/0caacf47d7b423db9126660fb0382ed56cd077c1
+Last-Update: 2024-09-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
+index 47292d6c64..70e586895f 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd.in
++++ b/src/security/apparmor/usr.sbin.libvirtd.in
+@@ -117,7 +117,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+   # allow changing to our UUID-based named profiles
+   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+ 
+-  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
++  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+   # child profile for bridge helper process
+   profile qemu_bridge_helper {
+    #include <abstractions/base>
+@@ -138,7 +138,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+    /etc/qemu/** r,
+    owner @{PROC}/*/status r,
+ 
+-   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
++   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
+   }
+ 
+ @BEGIN_APPARMOR_3@
+diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
+index bbc6513146..42fa4813da 100644
+--- a/src/security/apparmor/usr.sbin.virtqemud.in
++++ b/src/security/apparmor/usr.sbin.virtqemud.in
+@@ -111,7 +111,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
+   # allow changing to our UUID-based named profiles
+   change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+ 
+-  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
++  /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+   # child profile for bridge helper process
+   profile qemu_bridge_helper {
+    #include <abstractions/base>
+@@ -131,7 +131,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
+    /etc/qemu/** r,
+    owner @{PROC}/*/status r,
+ 
+-   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
++   /usr/{lib,lib64,lib/qemu,libexec,libexec/qemu}/qemu-bridge-helper rmix,
+   }
+ 
+ @BEGIN_APPARMOR_3@
+-- 
+GitLab
+

More information about the Pkg-libvirt-maintainers mailing list