Public bug reported:
This is a continuation of bug 1847361.
Since that is in Ubuntu and Debian we are:
- correctly saving the modules to those paths in /var/run/qemu.
- qemu tries to load from that path as fallback
- that works fine in containers running qemu/kvm
But there is an issue on non-container systems as /run usually is like
this:
tmpfs on /run type tmpfs
(rw,nosuid,nodev,noexec,relatime,size=3274920k,mode=755)
The important bit here is the "noexec" which is intentional (for
security reasons), but prevents the loading of shared objects from that
path.
The path is good for many reasons (it is auto-cleaned, upstream and
Distros agreed to this one path, ...). Moving it to other places also
quite likely might have unpredictable options.
In a discussion between Victor (thanks for all the pushign and inpot on
this) and Marc (security POV) we have come to a solution that will make
just the subpath that is owned by qemu to not have noexec set.
This bug shall track preparing this fix for Debian / Ubuntu and the
latter SRu considerations on the same.
** Affects: qemu (Ubuntu)
Importance: Undecided
Status: Confirmed
** Affects: qemu (Ubuntu Bionic)
Importance: Undecided
Status: Confirmed
** Affects: qemu (Ubuntu Focal)
Importance: Undecided
Status: Confirmed
** Affects: qemu (Ubuntu Groovy)
Importance: Undecided
Status: Confirmed
** Also affects: qemu (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: qemu (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: qemu (Ubuntu Bionic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1913421
Title:
Load of pre-upgrade qemu modules needs to avoid noexec
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1913421/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
