Your message dated Fri, 22 Jan 2016 13:36:03 +0000
with message-id <[email protected]>
and subject line Bug#812069: fixed in libvirt 1.3.1-1
has caused the Debian Bug report #812069,
regarding virt-aa-helper: please whitelist /usr/share/OVMF (EFI) for read-only
access under AppArmor
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
812069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812069
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libvirt-daemon-system
Version: 1.3.0-2
Severity: normal
File: /usr/lib/libvirt/virt-aa-helper
Tags: patch upstream
When I configure a guest for EFI boot on a host system with AppArmor
enabled, virt-aa-helper generates an AppArmor profile that fails its
own validation:
libvirtd: 13583: error : virCommandWait:2552 : internal error: Child process
(LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -p 0 -c -u
libvirt-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) unexpected exit status 1:
virt-aa-helper: error: /usr/share/OVMF/OVMF_CODE.fd#012virt-aa-helper: error:
skipped restricted file#012virt-aa-helper: error: invalid VM definition
This appears to be because virt-aa-helper is willing to accept
/usr/share/ovmf as an acceptable read-only path for a virtual machine,
but not /usr/share/OVMF. The attached patch seems to work.
(I wonder whether it would make sense to just allow all of /usr/share to be
read-only, but that's more of a policy question.)
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.113+nmu3
ii gettext-base 0.19.7-2
ii init-system-helpers 1.25
ii libapparmor1 2.10-2+b2
ii libaudit1 1:2.4.5-1
ii libblkid1 2.27.1-1
ii libc6 2.21-6
ii libcap-ng0 0.7.7-1+b1
ii libdbus-1-3 1.11.0-1
ii libdevmapper1.02.1 2:1.02.114-1
ii libnl-3-200 3.2.26-1
ii libnl-route-3-200 3.2.26-1
ii libnuma1 2.0.11-1
ii librados2 0.80.11-1
ii librbd1 0.80.11-1
ii libselinux1 2.4-3
ii libsystemd0 228-4
ii libvirt-clients 1.3.0-2+aa1
ii libvirt-daemon 1.3.0-2+aa1
ii libvirt0 1.3.0-2+aa1
ii libxml2 2.9.3+dfsg1-1
ii libyajl2 2.1.0-2
ii logrotate 3.8.7-2
ii policykit-1 0.105-14.1
Versions of packages libvirt-daemon-system recommends:
ii bridge-utils 1.5-9
ii dmidecode 3.0-2
ii dnsmasq-base 2.75-1
ii ebtables 2.0.10.4-3
ii iproute2 4.3.0-1
ii iptables 1.4.21-2+b1
ii parted 3.2-13
ii pm-utils 1.4.1-15
Versions of packages libvirt-daemon-system suggests:
ii apparmor 2.10-2+b2
pn auditd <none>
pn nfs-common <none>
pn radvd <none>
ii systemd 228-4
pn systemtap <none>
-- no debconf information
diffstat for libvirt-1.3.0 libvirt-1.3.0
changelog | 7 +
patches/series | 1
patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch | 56 ++++++++++
3 files changed, 64 insertions(+)
diff -Nru libvirt-1.3.0/debian/changelog libvirt-1.3.0/debian/changelog
--- libvirt-1.3.0/debian/changelog 2016-01-05 23:04:32.000000000 +0000
+++ libvirt-1.3.0/debian/changelog 2016-01-19 21:28:22.000000000 +0000
@@ -1,3 +1,10 @@
+libvirt (1.3.0-2+aa1) UNRELEASED; urgency=medium
+
+ * Add a patch to make virt-aa-helper allow reading the new location
+ of OVMF firmware
+
+ -- Simon McVittie <[email protected]> Tue, 19 Jan 2016 21:28:12 +0000
+
libvirt (1.3.0-2) unstable; urgency=medium
* [836190e] Avoid duplicates in package descriptions. Thanks lintian
diff -Nru libvirt-1.3.0/debian/patches/series libvirt-1.3.0/debian/patches/series
--- libvirt-1.3.0/debian/patches/series 2016-01-05 19:53:36.000000000 +0000
+++ libvirt-1.3.0/debian/patches/series 2016-01-19 21:28:22.000000000 +0000
@@ -15,3 +15,4 @@
debian/libsystemd.patch
CVE-2015-5313-storage-don-t-allow-in-filesystem-volume-na.patch
test-qemuxml2argv-Mock-virMemoryMaxValue-to-remove-32-64-.patch
+virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch
diff -Nru libvirt-1.3.0/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch libvirt-1.3.0/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch
--- libvirt-1.3.0/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.3.0/debian/patches/virt-aa-helper-apparmor-allow-usr-share-OVMF-too.patch 2016-01-19 21:28:22.000000000 +0000
@@ -0,0 +1,56 @@
+From: Simon McVittie <[email protected]>
+Date: Tue, 19 Jan 2016 21:27:57 +0000
+Subject: virt-aa-helper, apparmor: allow /usr/share/OVMF/ too
+
+The split firmware and variables files introduced by
+https://bugs.debian.org/764918 are in a different directory for
+some reason. Let the virtual machine read both.
+---
+ examples/apparmor/libvirt-qemu | 1 +
+ src/security/virt-aa-helper.c | 1 +
+ tests/virt-aa-helper-test | 7 ++++++-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
+index efb4873..9f996ab 100644
+--- a/examples/apparmor/libvirt-qemu
++++ b/examples/apparmor/libvirt-qemu
+@@ -67,6 +67,7 @@
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/ovmf/** r,
++ /usr/share/OVMF/** r,
+
+ # access PKI infrastructure
+ /etc/pki/libvirt-vnc/** r,
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 5de56e5..1a8f53e 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -570,6 +570,7 @@ valid_path(const char *path, const bool readonly)
+ "/vmlinuz",
+ "/initrd",
+ "/initrd.img",
++ "/usr/share/OVMF/", /* for OVMF images */
+ "/usr/share/ovmf/" /* for OVMF images */
+ };
+ /* override the above with these */
+diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
+index 1d03f5f..7e7a032 100755
+--- a/tests/virt-aa-helper-test
++++ b/tests/virt-aa-helper-test
+@@ -296,8 +296,13 @@ if [ -f /usr/share/ovmf/OVMF.fd ]; then
+ -e "s,###DISK###,$disk1,g" \
+ -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/ovmf/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
+ testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
++elif [ -f /usr/share/OVMF/OVMF.fd ]; then
++ sed -e "s,###UUID###,$uuid,g" \
++ -e "s,###DISK###,$disk1,g" \
++ -e "s,</os>,<loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF.fd</loader></os>,g" "$template_xml" > "$test_xml"
++ testme "0" "ovmf" "-r -u $valid_uuid" "$test_xml"
+ else
+- echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd"
++ echo "Skipping OVMF test. Could not find /usr/share/ovmf/OVMF.fd or /usr/share/OVMF/OVMF.fd"
+ fi
+
+ sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,</os>,<initrd>$tmpdir/initrd</initrd></os>,g" "$template_xml" > "$test_xml"
--- End Message ---
--- Begin Message ---
Source: libvirt
Source-Version: 1.3.1-1
We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated libvirt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Jan 2016 13:37:18 +0100
Source: libvirt
Binary: libvirt-bin libvirt-clients libvirt-daemon libvirt-daemon-system
libvirt0 libvirt0-dbg libvirt-doc libvirt-dev libvirt-sanlock
Architecture: all source
Version: 1.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers
<[email protected]>
Changed-By: Guido Günther <[email protected]>
Closes: 812069
Description:
libvirt0-dbg - library for interfacing with different virtualization systems -
d
libvirt0 - library for interfacing with different virtualization systems
libvirt-bin - Dummy transitional package
libvirt-clients - Programs for the libvirt library
libvirt-daemon-system - Libvirt daemon configuration files
libvirt-daemon - Virtualization daemon
libvirt-dev - development files for the libvirt library
libvirt-doc - documentation for the libvirt library
libvirt-sanlock - Sanlock plugin for virtlockd
Changes:
libvirt (1.3.1-1) unstable; urgency=medium
.
[ Guido Günther ]
* [4f04c2c] New upstream version 1.3.1
.
[ Simon McVittie ]
* [a0b3e59] Add a patch to make virt-aa-helper allow reading the new
location of OVMF firmware
(Closes: #812069)
Checksums-Sha1:
2676f4215300e768041994058f79f6d05795deee 3725 libvirt_1.3.1-1.dsc
f363e3bd07363277d63b011421d934004d6e1d4d 29900143 libvirt_1.3.1.orig.tar.gz
67c7d154635068e0fece5d79e0d01eb417122580 52816 libvirt_1.3.1-1.debian.tar.xz
5d4edeb0ffafea09b00e6e6ac769a2ba64042c05 1114794 libvirt-doc_1.3.1-1_all.deb
Checksums-Sha256:
72a5c456d10f892b90a0b3311e228c205869231f9c371f9dcc5d3296f9001330 3725
libvirt_1.3.1-1.dsc
a5d43fbed34d31eeffc641d2ac9b6026a57bf1a4fa74d0fa19a9891d9ec2c21a 29900143
libvirt_1.3.1.orig.tar.gz
da93565b1376892e595b1795da6e60b00220d256902dca0a0a97f7a0089cce9b 52816
libvirt_1.3.1-1.debian.tar.xz
262ea57d08406f2b7aef13af3c0ef8bf0073633d9bbb372bd752af6f99f7efd2 1114794
libvirt-doc_1.3.1-1_all.deb
Files:
e5c4803697671a1ca433658462417bc4 3725 libs optional libvirt_1.3.1-1.dsc
1d49377bb471df214e2dc660e7411361 29900143 libs optional
libvirt_1.3.1.orig.tar.gz
aa6ab43aa4291cd972931b8c18b19d11 52816 libs optional
libvirt_1.3.1-1.debian.tar.xz
cbd4bcd7614f9efc7305f3629fed791e 1114794 doc optional
libvirt-doc_1.3.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBVqIrTAe4t7DqmBILAQhhCg/+LZalFVj1mBDYblcXYJojkIhoyx7gPi4n
UOWTVQAQwYJNNXF4drViEzT/eg5/U89Q9ddZxVzn9EbVd0PonOMdqd0ukZxpDMBn
bSBR3fgXvEC5PbcMA99JzBozo54atx758psi1k20BHzNragTqITdTnEuha3ucsxK
5elED4Ta15yQzl043go38mmvqN5hrBN7MSElDskvNx1WRYbOoHe/iS0u2uzCs5Ub
cTUsM2ZZ1k3oYKoubRLkURXUX8SHxwuAUm+nv7CVLpGBld5+PvfTISnwifiCYcPp
Uc3BWMc17iBPF2kd8Ipqvu5pkn5/hDLHyecG9vCnDTmHkr06ARPO1KkaAi/IhVFx
HbJUkR2ZqV4cv3bsRmC9CuD3ojCHipfLmD32xaFBq51/YETHrJRDODeHkrRi1lF5
77dVXQh/DtI2bp/nFVuR3t4zUtdq/rBsURmfe99f1FegHT/6XbbgSg8k8rQeAm3z
hGAd8QYG4mt9h0ogdknnn2rGKXqp63u/m4b/mZvXxO+ccBiwBmROAgslMggrq+4i
gWsYleVmjPbQhYQAcWWzWThZKcru5HEwqtZ5egKJoIfHwzi1gL5FMKZ6FuelWaQu
Ct3w0Di8wdg+rbh48n33j95KcEooom8so2sPxZ56ydxduRPz3/n8RDsJRM7p343R
G18O2DcjzhE=
=exAL
-----END PGP SIGNATURE-----
--- End Message ---
