On qemu upgrades the old .so files usually are replaced. But on the other
hand since a qemu process represents a guest instance it is usually kept
around.
That makes late addition of dynamic features e.g. 'hot-attach of a ceph
disk' fail by trying to load a new version of e.f. block-rbd.so into an
old still running qemu binary.
Qemu adds a fallback to also load modules from a versioned directory in the
temporary /var/run path. That way qemu is providing a way for packaging
to store modules of an upgraded qemu package as needed until the next reboot.
This change is allowing the qemu process access to these paths.
Background:
This is a continuation of a discussion at KVM Forum 2019 eventually
becoming [1] and recently this change is queued to get into qemu properly [2].
[1]: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg00005.html
[2]: https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg03313.html
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
src/security/apparmor/libvirt-qemu | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
index 80986aec61..22415c9dfd 100644
--- a/src/security/apparmor/libvirt-qemu
+++ b/src/security/apparmor/libvirt-qemu
@@ -164,6 +164,11 @@
/usr/{lib,lib64}/qemu/*.so mr,
/usr/lib/@{multiarch}/qemu/*.so mr,
+ # let qemu load old shared objects after upgrades (LP: #1847361)
+ /{var/,}run/qemu/*/*.so mr,
+ # but explicitly deny with auditing writing to these files
+ audit deny /{var/,}run/qemu/*/*.so w,
+
# swtpm
/{usr/,}bin/swtpm rmix,
/usr/{lib,lib64}/libswtpm_libtpms.so mr,
--
2.25.1
On Fri, Mar 13, 2020 at 09:56:12AM +0100, Christian Ehrhardt wrote:
> On qemu upgrades the old .so files usually are replaced. But on the other
> hand since a qemu process represents a guest instance it is usually kept
> around.
>
> That makes late addition of dynamic features e.g. 'hot-attach of a ceph
> disk' fail by trying to load a new version of e.f. block-rbd.so into an
> old still running qemu binary.
>
> Qemu adds a fallback to also load modules from a versioned directory in the
> temporary /var/run path. That way qemu is providing a way for packaging
> to store modules of an upgraded qemu package as needed until the next reboot.
>
> This change is allowing the qemu process access to these paths.
>
> Background:
> This is a continuation of a discussion at KVM Forum 2019 eventually
> becoming [1] and recently this change is queued to get into qemu properly [2].
>
> [1]: https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg00005.html
> [2]: https://lists.nongnu.org/archive/html/qemu-devel/2020-03/msg03313.html
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> src/security/apparmor/libvirt-qemu | 5 +++++
> 1 file changed, 5 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>
> diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> index 80986aec61..22415c9dfd 100644
> --- a/src/security/apparmor/libvirt-qemu
> +++ b/src/security/apparmor/libvirt-qemu
> @@ -164,6 +164,11 @@
> /usr/{lib,lib64}/qemu/*.so mr,
> /usr/lib/@{multiarch}/qemu/*.so mr,
>
> + # let qemu load old shared objects after upgrades (LP: #1847361)
> + /{var/,}run/qemu/*/*.so mr,
> + # but explicitly deny with auditing writing to these files
> + audit deny /{var/,}run/qemu/*/*.so w,
> +
> # swtpm
> /{usr/,}bin/swtpm rmix,
> /usr/{lib,lib64}/libswtpm_libtpms.so mr,
> --
> 2.25.1
>
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2024 Red Hat, Inc.