** Changed in: libvirt (Debian)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1680384
Title:
libvirt-qemu apparmor profiles misses several important entries
Hi Martin,
my particular fix on proc/*/cmdline (the one you hit atm) I didn't upstream yet
[1] for the potential security risk (I wanted to wait for an idea how to do it
even better, but had no better idea in my discussions with smb yet).
But it was just recently discussed as someone else was
** Changed in: libvirt (Debian)
Status: Unknown => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1680384
Title:
libvirt-qemu apparmor profiles misses several important entries
To
Christian: This bug now hit debian-testing (see
http://209.132.184.41/logs/pull-8219-20171206-214646-d2e9e141-verify-
debian-testing/log.html#2). Is there an upstream bug/patch mail for
reference, or are these Debian/Ubuntu downstream rules?
** Bug watch added: Debian Bug tracker #878203
This bug was fixed in the package libvirt - 1.3.1-1ubuntu10.10
---
libvirt (1.3.1-1ubuntu10.10) xenial; urgency=medium
* Fix bad SRU backport to match apparmor structure of libvirt
in Xenial (LP: #1680384)
- drop d/p/ubuntu/apparmor-shutdown.patch as the libvirt code here
FYI - Xenial was re-rolled so it waits a few days longer to be the right
time in -proposed without reports. The SRU Team will likely pick it up
in a few days.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug was fixed in the package libvirt - 2.5.0-3ubuntu5.1
---
libvirt (2.5.0-3ubuntu5.1) zesty; urgency=medium
* Add missing apparmor profile entries (LP: #1680384)
- debian/patches/ubuntu/apparmor-vfio.patch: apparmor: add /dev/vfio
for vf (hot) attach
-
This bug was fixed in the package libvirt - 2.1.0-1ubuntu9.5
---
libvirt (2.1.0-1ubuntu9.5) yakkety; urgency=medium
* Add missing apparmor profile entries (LP: #1680384)
- debian/patches/ubuntu/apparmor-vfio.patch: apparmor: add /dev/vfio
for vf (hot) attach
-
With so much back and forth going on I double checked that this is
against the right package from proposed.
$ apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.3.1-1ubuntu10.10
Candidate: 1.3.1-1ubuntu10.10
Version table:
*** 1.3.1-1ubuntu10.10 500
500
Hello ChristianEhrhardt, or anyone else affected,
Accepted libvirt into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/1.3.1-1ubuntu10.10 in a few
hours, and then in the -proposed repository.
Please help us by testing this new
Ok, with the fixup for Xenial
(https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2769/+packages) it
is also good there now.
Now contacting the release Team to help me replace that in proposed and do a
final test from there.
--
You received this bug notification because you are a
Verification is ok for Yakkety and Zesty.
On Xenial there is an issue (nothing that breaks, but it doesn't fix it due to
the apparmor packaging structure there being different).
I already have a follow on patch ready and test it now.
Hopefully I can reject/replace the one in x-p rather soon.
Hello ChristianEhrhardt, or anyone else affected,
Accepted libvirt into zesty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/libvirt/2.5.0-3ubuntu5.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package.
- Added and filled associated SRU Template
- checked once more the dep8 tests on the test bileto ppa
- checked regression tests
- added tasks for affected releases
With that in place uploaded to the unapproved queue of these releases
Please do note that Trusty is a bit old for the SRU as-is,
** Description changed:
- By debugging various bugs I've found several entries missing in the
- libvirt-qemu apparmor abstraction.
+ [Impact]
+
+ * Attaching of virtual functions (SR-IOV) not possible without manually
+modification of apparmor rules
+ * libvirt/qemu guest logfiles can not
** Also affects: libvirt (Ubuntu Zesty)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu Xenial)
This bug was fixed in the package libvirt - 2.5.0-3ubuntu6
---
libvirt (2.5.0-3ubuntu6) artful; urgency=medium
* Add missing apparmor profile entries (LP: #1680384)
- debian/patches/ubuntu/apparmor-vfio.patch: apparmor: add /dev/vfio
for vf (hot) attach
-
Updated the ppa with an extended fix to cover follow on access of
ppc64_cpu in the apparmor profile as well now.
Since we wait on the kernel/apparmor fix to be complete (bug 1679704) I pushed
it to the ppa that I mentioned before.
Now I wait on a ppc64el test kernel now by the other bug, as we
Somewhat refurbished way to solve this in https://launchpad.net/~ci-
train-ppa-service/+archive/ubuntu/2724
Once built I'm testing these in combination with the special preview
kernel JJ provided to get the setrlimit issue solved.
On the actual integration we will have to see if this will still
--- Comment From lagar...@br.ibm.com 2017-04-13 21:08 EDT---
Please, reverse mirror LP1680384 (libvirt-qemu apparmor profiles misses several
important entries).
** Tags added: architecture-ppc64le bugnameltc-153458 severity-high
targetmilestone-inin1704
--
You received this bug
The shutdown and vfio changes are actually already good, but the ppc kvm
wrapper needs more.
Not only rearrange as outlined above, but also ppc64_cpu accesses more down the
road, so we need to add this and check for more:
[20760.368049] audit: type=1400 audit(1491488425.671:93):
There is a section the ppc changes should go to:
# kvm.powerpc executes this
[...]
Also while verifying I found that the changes are in the patch but where lost
in the magic of the profiles are generated on build.
But since we need to reroll for AA anyway I'll tackle that once I have a chance
Final Freeze today and this is not blocking install, so assume to reroll for AA
once open and then SRU back.
But Tests on the PPA are fine for now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Prepared a Test PPA at
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2708/
Once tested on the issues and regressions we should shove that into
zesty asap to meet the Freeze deadlines (or make it a very early
update).
--
You received this bug notification because you are a member
24 matches
Mail list logo
