Skip to content
Snippets Groups Projects
Commit 157a5ec2 authored by Andrea Bolognani's avatar Andrea Bolognani
Browse files

patches: Add backports

Specifically:

  * backport/apparmor-Allow-umount-dev.patch
  * backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch

which fix a couple of regressions.
parent 217f0860
No related branches found
No related tags found
1 merge request!173Prepare 9.0.0-1
From: Andrea Bolognani <abologna@redhat.com>
Date: Wed, 18 Jan 2023 10:28:04 +0100
Subject: apparmor: Allow umount(/dev)
Commit 379c0ce4bfed introduced a call to umount(/dev) performed
inside the namespace that we run QEMU in.
As a result of this, on machines using AppArmor, VM startup now
fails with
internal error: Process exited prior to exec: libvirt:
QEMU Driver error: failed to umount devfs on /dev: Permission denied
The corresponding denial is
AVC apparmor="DENIED" operation="umount" profile="libvirtd"
name="/dev/" pid=70036 comm="rpc-libvirtd"
Extend the AppArmor configuration for virtqemud and libvirtd so
that this operation is allowed.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit ef4829510549ec68cf80774e98b200a3e7bbe51f)
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
src/security/apparmor/usr.sbin.virtqemud.in | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 886f1ad..edb8dd8 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -35,6 +35,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
umount /{var/,}run/libvirt/qemu/*.dev/,
+ umount /dev/,
# libvirt provides any mounts under /dev to qemu namespaces
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
diff --git a/src/security/apparmor/usr.sbin.virtqemud.in b/src/security/apparmor/usr.sbin.virtqemud.in
index 3de03d4..f269c60 100644
--- a/src/security/apparmor/usr.sbin.virtqemud.in
+++ b/src/security/apparmor/usr.sbin.virtqemud.in
@@ -35,6 +35,7 @@ profile virtqemud @sbindir@/virtqemud flags=(attach_disconnected) {
mount options=(rw,rslave) -> /,
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
umount /{var/,}run/libvirt/qemu/*.dev/,
+ umount /dev/,
# libvirt provides any mounts under /dev to qemu namespaces
mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
From: Michal Privoznik <mprivozn@redhat.com>
Date: Mon, 23 Jan 2023 11:42:18 +0100
Subject: qemu_interface: Fix managed='no' case when creating an ethernet
interface
In a recent commit of v9.0.0-rc1~192 I've tried to forbid case
where a TAP device already exists, but at the same time it's
managed by Libvirt (<interface type='ethernet'> <target
dev='tap0' managed='yes'/> </interface>). NB, if @managed
attribute is missing then it's assumed to be managed by Libvirt.
Anyway, I've mistakenly put setting of
VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING flag into managed='yes'
branch instead of managed='no' branch in
qemuInterfaceEthernetConnect().
Move the setting of the flag into the correct branch.
Fixes: a2ae3d299cf9c5ada8aa42ec4271748eb479dc27
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit d6a8b9eef70887e01fa5fd292580e14ca5eab08c)
---
src/qemu/qemu_interface.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_interface.c b/src/qemu/qemu_interface.c
index b6895ce..ed2c209 100644
--- a/src/qemu/qemu_interface.c
+++ b/src/qemu/qemu_interface.c
@@ -443,6 +443,9 @@ qemuInterfaceEthernetConnect(virDomainDef *def,
_("target managed='no' but specified dev doesn't exist"));
goto cleanup;
}
+
+ tap_create_flags |= VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING;
+
if (virNetDevMacVLanIsMacvtap(net->ifname)) {
auditdev = net->ifname;
if (virNetDevMacVLanTapOpen(net->ifname, tapfd, tapfdSize) < 0)
@@ -461,8 +464,6 @@ qemuInterfaceEthernetConnect(virDomainDef *def,
if (!net->ifname)
template_ifname = true;
- tap_create_flags |= VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING;
-
if (virNetDevTapCreate(&net->ifname, tunpath, tapfd, tapfdSize,
tap_create_flags) < 0) {
goto cleanup;
......@@ -46,10 +46,10 @@ index ff1d46b..5a50823 100644
#include <local/usr.lib.libvirt.virt-aa-helper>
}
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 886f1ad..a4ed6ea 100644
index edb8dd8..741f3b2 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -138,4 +138,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
......
backport/apparmor-Allow-umount-dev.patch
backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment