Bug#796088: jessie-pu: package libvirt/1.2.9-9+deb8u1
Control: tag -1 - moreinfo
Hi,
Guido Günther wrote (20 Aug 2015 11:57:36 GMT) :
> On Wed, Aug 19, 2015 at 04:53:32PM +0100, Adam D. Barratt wrote:
>> I have to admit that I'm also confused by the patch for #786650:
[...]
>> That seems to make sense...
>>
>> + # for hostdev
>> + /sys/devices/ r,
>> + /sys/devices/** r,
>> ++ deny /dev/sd* r,
>> ++ deny /dev/vd* r,
>> ++ deny /dev/dm-* r,
>> ++ deny /dev/mapper/ r,
>> ++ deny /dev/mapper/* r,
>>
>> ... these not so much.
> According to Felix (cc:) these are only here to silence some denials
> filling the logs otherwise. So they cause not harm but are not mentioned
> in the changelog. I could fix that up before an upload.
We've discussed this on #786650, and as a result here's an updated
debdiff: the only change, compared to the one Guido submitted
initially, is that Allow-access-to-libnl-3-config-files.patch now does
not include these changes, that are unrelated to #786650, that this
patch as meant to fix.
I've just built and tested on Jessie, and could successfully start
a VM with AppArmor enforced.
Cheers,
--
intrigeri
diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog 2015-02-06 15:43:48.000000000 +0100
+++ libvirt-1.2.9/debian/changelog 2015-08-24 16:21:08.000000000 +0200
@@ -1,3 +1,28 @@
+libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
+
+ [ Guido Günther ]
+ * [8e4cf5a] Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm
+ or kqemu.
+ Thanks to Luke Faraone for the report (Closes: #786650)
+ * [ad1ff0b] Adjust gbp.conf for jessie
+ * [c830a54] Disable test suite due to libxml2 bug #781232 in jessie
+ * [be70aec] Fix crash on live migration
+ this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
+ Thanks to Eckebrecht von Pappenheim (Closes: #7788171)
+
+ [ Felix Geyer ]
+ * [9fb6c59] Allow access to libnl-3 configuration (Closes: #786652)
+
+ [ intrigeri ]
+ * Allow-access-to-libnl-3-config-files.patch: revert changes that are
+ unrelated to the bug this patch is meant to fix.
+
+ [ Daniel P. Berrange ]
+ * [afae69a] Report original error when QMP probing fails with new QEMU
+ (Closes: #780093)
+
+ -- Guido Günther <agx@sigxcpu.org> Thu, 13 Aug 2015 15:56:49 +0200
+
libvirt (1.2.9-9) unstable; urgency=medium
* [4c14b83] qemu: Don't try to parse -help for new QEMU.
diff -Nru libvirt-1.2.9/debian/gbp.conf libvirt-1.2.9/debian/gbp.conf
--- libvirt-1.2.9/debian/gbp.conf 2015-02-05 21:22:11.000000000 +0100
+++ libvirt-1.2.9/debian/gbp.conf 2015-08-24 16:21:08.000000000 +0200
@@ -1,6 +1,7 @@
[DEFAULT]
upstream-branch=upstream/sid
-debian-branch=master
+debian-branch=debian/jessie
+dist=jessie
[gbp-pq]
patch-numbers = False
diff -Nru libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch
--- libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/Allow-access-to-libnl-3-config-files.patch 2015-08-24 16:21:08.000000000 +0200
@@ -0,0 +1,22 @@
+From: Felix Geyer <fgeyer@debian.org>
+Date: Sat, 13 Jun 2015 10:22:40 +0200
+Subject: Allow access to libnl-3 config files
+
+Closes: #786650
+---
+ examples/apparmor/usr.lib.libvirt.virt-aa-helper | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/examples/apparmor/usr.lib.libvirt.virt-aa-helper b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+index bceaaff..a3c9938 100644
+--- a/examples/apparmor/usr.lib.libvirt.virt-aa-helper
++++ b/examples/apparmor/usr.lib.libvirt.virt-aa-helper
+@@ -16,6 +16,8 @@
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
++ /etc/libnl-3/classid r,
++
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
diff -Nru libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch
--- libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/Fix-crash-on-live-migration.patch 2015-08-24 16:21:08.000000000 +0200
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sat, 13 Jun 2015 10:38:26 +0200
+Subject: Fix crash on live migration
+
+this supplements 07dbec0a64783f644854a22aa0355720f0328d17.
+
+Closes: #7788171
+Thanks: Eckebrecht von Pappenheim
+---
+ src/qemu/qemu_migration.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
+index e18556f..87f3f1a 100644
+--- a/src/qemu/qemu_migration.c
++++ b/src/qemu/qemu_migration.c
+@@ -2746,7 +2746,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
+ QEMU_ASYNC_JOB_MIGRATION_IN) < 0)
+ goto stop;
+
+- if (STREQ(protocol, "rdma") &&
++ if (STREQ_NULLABLE(protocol, "rdma") &&
+ virProcessSetMaxMemLock(vm->pid, vm->def->mem.hard_limit << 10) < 0) {
+ goto stop;
+ }
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series 2015-02-06 14:03:20.000000000 +0100
+++ libvirt-1.2.9/debian/patches/series 2015-08-24 16:21:08.000000000 +0200
@@ -27,3 +27,7 @@
security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-security-.patch
security/CVE-2015-0236-qemu-Check-ACLs-when-dumping-securi-14.patch
qemu-Don-t-try-to-parse-help-for-new-QEM.patch
+upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
+Allow-access-to-libnl-3-config-files.patch
+Fix-crash-on-live-migration.patch
+upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
diff -Nru libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
--- libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch 2015-08-24 16:21:08.000000000 +0200
@@ -0,0 +1,182 @@
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 15 Jun 2015 09:04:34 +0200
+Subject: Report original error when QMP probing fails with new QEMU
+
+If probing capabilities via QMP fails, we now have a check
+that prevents us falling back to -help parsing. Unfortunately
+the error message
+
+ "Failed to probe capabilities for /usr/bin/qemu-kvm:
+ unsupported configuration: QEMU 2.1.2 is too new for help parsing"
+
+is proving rather unhelpful to the user. We need to be telling
+them why QMP failed (the root cause), rather than they can't
+use -help (the side effect).
+
+To do this we should capture stderr during QMP probing, and
+if -help parsing then sees a new QEMU version, we know that
+QMP should have worked, and so we can show the messages from
+stderr. The message thus becomes
+
+ "Failed to probe capabilities for /usr/bin/qemu-kvm:
+ internal error: QEMU / QMP failed: Could not access
+ KVM kernel module: No such file or directory
+ failed to initialize KVM: No such file or directory"
+---
+ src/qemu/qemu_capabilities.c | 37 +++++++++++++++++++++++++++----------
+ src/qemu/qemu_capabilities.h | 3 ++-
+ tests/qemuhelptest.c | 2 +-
+ 3 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index 9e0158c..b6144ea 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -1325,7 +1325,8 @@ int virQEMUCapsParseHelpStr(const char *qemu,
+ unsigned int *version,
+ bool *is_kvm,
+ unsigned int *kvm_version,
+- bool check_yajl)
++ bool check_yajl,
++ const char *qmperr)
+ {
+ unsigned major, minor, micro;
+ const char *p = help;
+@@ -1386,9 +1387,15 @@ int virQEMUCapsParseHelpStr(const char *qemu,
+ * using QMP probing.
+ */
+ if (*version > 1002000) {
+- virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+- _("QEMU %u.%u.%u is too new for help parsing"),
+- major, minor, micro);
++ if (qmperr && *qmperr) {
++ virReportError(VIR_ERR_INTERNAL_ERROR,
++ _("QEMU / QMP failed: %s"),
++ qmperr);
++ } else {
++ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++ _("QEMU %u.%u.%u is too new for help parsing"),
++ major, minor, micro);
++ }
+ goto cleanup;
+ }
+
+@@ -2933,7 +2940,7 @@ virQEMUCapsInitCached(virQEMUCapsPtr qemuCaps, const char *cacheDir)
+ #define QEMU_SYSTEM_PREFIX "qemu-system-"
+
+ static int
+-virQEMUCapsInitHelp(virQEMUCapsPtr qemuCaps, uid_t runUid, gid_t runGid)
++virQEMUCapsInitHelp(virQEMUCapsPtr qemuCaps, uid_t runUid, gid_t runGid, const char *qmperr)
+ {
+ virCommandPtr cmd = NULL;
+ bool is_kvm;
+@@ -2964,7 +2971,8 @@ virQEMUCapsInitHelp(virQEMUCapsPtr qemuCaps, uid_t runUid, gid_t runGid)
+ &qemuCaps->version,
+ &is_kvm,
+ &qemuCaps->kvmVersion,
+- false) < 0)
++ false,
++ qmperr) < 0)
+ goto cleanup;
+
+ /* x86_64 and i686 support PCI-multibus on all machine types
+@@ -3215,7 +3223,8 @@ static int
+ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
+ const char *libDir,
+ uid_t runUid,
+- gid_t runGid)
++ gid_t runGid,
++ char **qmperr)
+ {
+ int ret = -1;
+ virCommandPtr cmd = NULL;
+@@ -3275,13 +3284,16 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
+ virCommandSetGID(cmd, runGid);
+ virCommandSetUID(cmd, runUid);
+
++ virCommandSetErrorBuffer(cmd, qmperr);
++
+ /* Log, but otherwise ignore, non-zero status. */
+ if (virCommandRun(cmd, &status) < 0)
+ goto cleanup;
+
+ if (status != 0) {
+ ret = 0;
+- VIR_DEBUG("QEMU %s exited with status %d", qemuCaps->binary, status);
++ VIR_DEBUG("QEMU %s exited with status %d: %s",
++ qemuCaps->binary, status, *qmperr);
+ goto cleanup;
+ }
+
+@@ -3330,6 +3342,8 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
+ VIR_ERROR(_("Failed to kill process %lld: %s"),
+ (long long) pid,
+ virStrerror(errno, ebuf, sizeof(ebuf)));
++
++ VIR_FREE(*qmperr);
+ }
+ if (pidfile) {
+ unlink(pidfile);
+@@ -3370,6 +3384,7 @@ virQEMUCapsPtr virQEMUCapsNewForBinary(const char *binary,
+ virQEMUCapsPtr qemuCaps;
+ struct stat sb;
+ int rv;
++ char *qmperr = NULL;
+
+ if (!(qemuCaps = virQEMUCapsNew()))
+ goto error;
+@@ -3400,13 +3415,13 @@ virQEMUCapsPtr virQEMUCapsNewForBinary(const char *binary,
+ goto error;
+
+ if (rv == 0) {
+- if (virQEMUCapsInitQMP(qemuCaps, libDir, runUid, runGid) < 0) {
++ if (virQEMUCapsInitQMP(qemuCaps, libDir, runUid, runGid, &qmperr) < 0) {
+ virQEMUCapsLogProbeFailure(binary);
+ goto error;
+ }
+
+ if (!qemuCaps->usedQMP &&
+- virQEMUCapsInitHelp(qemuCaps, runUid, runGid) < 0) {
++ virQEMUCapsInitHelp(qemuCaps, runUid, runGid, qmperr) < 0) {
+ virQEMUCapsLogProbeFailure(binary);
+ goto error;
+ }
+@@ -3415,9 +3430,11 @@ virQEMUCapsPtr virQEMUCapsNewForBinary(const char *binary,
+ goto error;
+ }
+
++ VIR_FREE(qmperr);
+ return qemuCaps;
+
+ error:
++ VIR_FREE(qmperr);
+ virObjectUnref(qemuCaps);
+ qemuCaps = NULL;
+ return NULL;
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index a0bb5d3..d8d63a6 100644
+--- a/src/qemu/qemu_capabilities.h
++++ b/src/qemu/qemu_capabilities.h
+@@ -302,7 +302,8 @@ int virQEMUCapsParseHelpStr(const char *qemu,
+ unsigned int *version,
+ bool *is_kvm,
+ unsigned int *kvm_version,
+- bool check_yajl);
++ bool check_yajl,
++ const char *qmperr);
+ /* Only for use by test suite */
+ int virQEMUCapsParseDeviceStr(virQEMUCapsPtr qemuCaps, const char *str);
+
+diff --git a/tests/qemuhelptest.c b/tests/qemuhelptest.c
+index 975edf3..271fddc 100644
+--- a/tests/qemuhelptest.c
++++ b/tests/qemuhelptest.c
+@@ -58,7 +58,7 @@ static int testHelpStrParsing(const void *data)
+ goto cleanup;
+
+ if (virQEMUCapsParseHelpStr("QEMU", help, flags,
+- &version, &is_kvm, &kvm_version, false) == -1)
++ &version, &is_kvm, &kvm_version, false, NULL) == -1) {
+ goto cleanup;
+
+ # ifndef WITH_YAJL
diff -Nru libvirt-1.2.9/debian/patches/upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch libvirt-1.2.9/debian/patches/upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
--- libvirt-1.2.9/debian/patches/upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch 2015-08-24 16:21:08.000000000 +0200
@@ -0,0 +1,41 @@
+From: =?utf-8?q?C=C3=A9dric_Bosdonnat?= <cbosdonnat@suse.com>
+Date: Tue, 28 Oct 2014 14:42:34 -0600
+Subject: Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or
+ kqemu
+
+Closes: #786650
+---
+ src/security/virt-aa-helper.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
+index 9afc8db..1f299a0 100644
+--- a/src/security/virt-aa-helper.c
++++ b/src/security/virt-aa-helper.c
+@@ -341,15 +341,25 @@ create_profile(const char *profile, const char *profile_name,
+ int tlen, plen;
+ int fd;
+ int rc = -1;
++ const char *driver_name = NULL;
+
+ if (virFileExists(profile)) {
+ vah_error(NULL, 0, _("profile exists"));
+ goto end;
+ }
+
++ switch (virtType) {
++ case VIR_DOMAIN_VIRT_QEMU:
++ case VIR_DOMAIN_VIRT_KQEMU:
++ case VIR_DOMAIN_VIRT_KVM:
++ driver_name = "qemu";
++ break;
++ default:
++ driver_name = virDomainVirtTypeToString(virtType);
++ }
+
+ if (virAsprintfQuiet(&template, "%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt",
+- virDomainVirtTypeToString(virtType)) < 0) {
++ driver_name) < 0) {
+ vah_error(NULL, 0, _("template name exceeds maximum length"));
+ goto end;
+ }
diff -Nru libvirt-1.2.9/debian/rules libvirt-1.2.9/debian/rules
--- libvirt-1.2.9/debian/rules 2015-02-05 21:22:11.000000000 +0100
+++ libvirt-1.2.9/debian/rules 2015-08-24 16:21:08.000000000 +0200
@@ -129,14 +129,7 @@
dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS)
override_dh_auto_test:
- export LD_PRELOAD=""; \
- export VIR_TEST_DEBUG=1; \
- [ -n "$(MAKE_CHECK)" ] || exit 0; \
- if ! dh_auto_test -O--builddirectory=$(DEB_BUILDDIR); then \
- cat ./debian/build/gnulib/tests/test-suite.log \
- ./debian/build/tests/test-suite.log; \
- exit 1; \
- fi
+ # Disabled due to #781232
override_dh_install:
dh_install
Reply to: