[Pkg-libvirt-commits] [Git][libvirt-team/libvirt][debian/latest] 9 commits: changelog: Create entry for 9.6.0-1
Andrea Bolognani (@abologna)
gitlab at salsa.debian.org
Tue Aug 8 19:50:32 BST 2023
Andrea Bolognani pushed to branch debian/latest at Libvirt Packaging Team / libvirt
Commits:
581ef642 by Andrea Bolognani at 2023-08-01T20:27:59+02:00
changelog: Create entry for 9.6.0-1
Gbp-Dch: Ignore
- - - - -
a6c1b6d7 by Andrea Bolognani at 2023-08-01T20:30:53+02:00
symbols: Bump symbol versions
No new public symbols.
Gbp-Dch: Ignore
- - - - -
9a195228 by Andrea Bolognani at 2023-08-02T21:36:59+02:00
patches: Refresh patches
The AppArmor overrides for services are no longer added, as
upstream provides them now; those for abstractions are
modified. More details about that in the next few commits.
Gbp-Dch: Ignore
- - - - -
cc3a7889 by Andrea Bolognani at 2023-08-02T21:38:27+02:00
control: Require AppArmor 3
Upstream now behaves differently depending on whether AppArmor
3 or AppArmor 2 is present, and we want the newer behavior.
- - - - -
b8804c77 by Andrea Bolognani at 2023-08-02T21:40:44+02:00
rules: Don't delete etc/apparmor.d/local/*
It doesn't get created when building for AppArmor 3.
Gbp-Dch: Ignore
- - - - -
bd25dd8c by Andrea Bolognani at 2023-08-02T21:41:04+02:00
postint: No longer create empty overrides for abstractions
The previous paths were Debian-specific and are now deprecated
in favor of an upstream-compatible solution.
Note that we don't create empty overrides for the new locations:
now that we require AppArmor 3, we can safely use the "include
if exists" directive and thus those placeholders are no longer
needed. Upstream AppArmor's preference is for them *not* to be
created to avoid unnecessary clutter.
We also delete the old overrides if there are no local
customizations. Cleaning up after ourselves, at purge time, is
something that we should have done even before now, in the same
way dh_apparmor already does for the empty overrides that it
creates for profiles.
Gbp-Dch: Ignore
- - - - -
bb0f05f6 by Andrea Bolognani at 2023-08-02T22:10:22+02:00
NEWS: Update for AppArmor-related changes
Gbp-Dch: Ignore
- - - - -
54d65bdf by Andrea Bolognani at 2023-08-05T19:01:39+02:00
patches: Add backports
Specifically
* backport/src-fix-max-file-limits-in-systemd-services.patch
- - - - -
9c54c966 by Andrea Bolognani at 2023-08-05T19:02:39+02:00
Document changes and release 9.6.0-1
- - - - -
9 changed files:
- debian/NEWS
- debian/changelog
- debian/control
- debian/libvirt-daemon-system.postinst
- debian/libvirt0.symbols
- + debian/patches/backport/src-fix-max-file-limits-in-systemd-services.patch
- debian/patches/debian/apparmor_profiles_local_include.patch
- debian/patches/series
- debian/rules
Changes:
=====================================
debian/NEWS
=====================================
@@ -1,3 +1,14 @@
+libvirt (9.6.0-1) unstable; urgency=medium
+
+ Local overrides for AppArmor abstractions are now expected to
+ be /etc/apparmor.d/abstractions/libvirt-{qemu,lxc}.d/... instead
+ of /etc/apparmor.d/local/abstractions/libvirt-{qemu,lxc}.
+
+ The old locations are still accepted for now, but support for
+ them will be dropped in a future release.
+
+ -- Andrea Bolognani <eof at kiyuko.org> Wed, 02 Aug 2023 21:41:19 +0200
+
libvirt (8.10.0-2) experimental; urgency=medium
Localization for libvirt has been moved to the libvirt-l10n
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+libvirt (9.6.0-1) UNRELEASED; urgency=medium
+
+ * [74213a2] New upstream version 9.6.0
+ - Fixes CVE-2023-3750 (Closes: #1041811)
+ * [cc3a788] control: Require AppArmor 3
+ * [54d65bd] patches: Add backports
+ - backport/src-fix-max-file-limits-in-systemd-services.patch
+
+ -- Andrea Bolognani <eof at kiyuko.org> Sat, 05 Aug 2023 19:01:56 +0200
+
libvirt (9.5.0-2) unstable; urgency=medium
[ Pino Toscano ]
=====================================
debian/control
=====================================
@@ -13,7 +13,7 @@ Build-Depends:
iptables [linux-any],
kmod [linux-any],
libacl1-dev [linux-any],
- libapparmor-dev [linux-any],
+ libapparmor-dev (>= 3.0.0) [linux-any],
libattr1-dev [linux-any],
libaudit-dev [linux-any],
libblkid-dev,
=====================================
debian/libvirt-daemon-system.postinst
=====================================
@@ -127,22 +127,22 @@ case "$1" in
# Force refresh of capabilities (#731815)
rm -f /var/cache/libvirt/qemu/capabilities/*.xml
- # dh_apparmor can't work with dir/file profile filenames yet (#979500)
- # Also we don't want the reload section of dh_apparmor. Just the
- # install of an empty include.
- ABSTRACTIONS_DIR="/etc/apparmor.d/abstractions"
+ # Obsolete AppArmor stuff included until 9.6.0-1
LOCAL_ABSTRACTIONS_DIR="/etc/apparmor.d/local/abstractions"
LIBVIRT_ABSTRACTIONS="libvirt-lxc libvirt-qemu"
for name in $LIBVIRT_ABSTRACTIONS; do
- abstraction="$ABSTRACTIONS_DIR/$name"
local_abstraction="$LOCAL_ABSTRACTIONS_DIR/$name"
- if [ -e "$abstraction" ] && [ ! -e "$local_abstraction" ]; then
- mkdir -p "$LOCAL_ABSTRACTIONS_DIR"
- install -m 0644 /dev/null "$local_abstraction"
+ # Delete the file if it's empty, leave it alone otherwise
+ if [ ! -s "$local_abstraction" ]; then
+ rm -f "$local_abstraction"
fi
done
+
+ if [ -d "$LOCAL_ABSTRACTIONS_DIR" ]; then
+ rmdir --ignore-fail-on-non-empty "$LOCAL_ABSTRACTIONS_DIR"
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
=====================================
debian/libvirt0.symbols
=====================================
@@ -98,7 +98,7 @@ libvirt.so.0 libvirt0 #MINVER#
*@LIBVIRT_8.4.0 8.4.0
*@LIBVIRT_8.5.0 8.5.0
*@LIBVIRT_9.0.0 9.0.0
- *@LIBVIRT_PRIVATE_9.5.0 9.5.0
+ *@LIBVIRT_PRIVATE_9.6.0 9.6.0
libvirt-qemu.so.0 libvirt0 #MINVER#
*@LIBVIRT_QEMU_0.8.3 0.8.3
@@ -116,4 +116,4 @@ libvirt-admin.so.0 libvirt0 #MINVER#
*@LIBVIRT_ADMIN_2.0.0 2.0.0~rc1
*@LIBVIRT_ADMIN_3.0.0 3.0.0
*@LIBVIRT_ADMIN_8.6.0 8.9.0
- *@LIBVIRT_ADMIN_PRIVATE_9.5.0 9.5.0
+ *@LIBVIRT_ADMIN_PRIVATE_9.6.0 9.6.0
=====================================
debian/patches/backport/src-fix-max-file-limits-in-systemd-services.patch
=====================================
@@ -0,0 +1,122 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange at redhat.com>
+Date: Wed, 2 Aug 2023 10:00:22 +0100
+Subject: src: fix max file limits in systemd services
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This fixes
+
+ commit 38abf9c34dc481b0dc923bdab446ee623bdc5ab6
+ Author: Daniel P. Berrangé <berrange at redhat.com>
+ Date: Wed Jun 21 13:22:40 2023 +0100
+
+ src: set max open file limit to match systemd >= 240 defaults
+
+The bug referenced in that commit had suggested to set
+
+ LimitNOFile=512000:1024
+
+on the basis that matches current systemd default behaviour and is
+compatible with old systemd. That was good except
+
+ * The setting is LimitNOFILE and these are case sensitive
+ * The hard and soft limits were inverted - soft must come
+ first and so it would have been ignored even if the
+ setting name was correct.
+ * The default hard limit is 524288 not 512000
+
+Reported-by: Olaf Hering <olaf at aepfle.de>
+Reviewed-by: Martin Kletzander <mkletzan at redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
+(cherry picked from commit 3d2f3fb72b4c1d636822606ef8b1df29ae4a2be6)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/3d2f3fb72b4c1d636822606ef8b1df29ae4a2be6
+---
+ src/ch/virtchd.service.in | 2 +-
+ src/locking/virtlockd.service.in | 2 +-
+ src/logging/virtlogd.service.in | 2 +-
+ src/lxc/virtlxcd.service.in | 2 +-
+ src/qemu/virtqemud.service.in | 2 +-
+ src/remote/libvirtd.service.in | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/ch/virtchd.service.in b/src/ch/virtchd.service.in
+index be242fe..351eee3 100644
+--- a/src/ch/virtchd.service.in
++++ b/src/ch/virtchd.service.in
+@@ -24,7 +24,7 @@ Restart=on-failure
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+ # The cgroups pids controller can limit the number of tasks started by
+ # the daemon, which can limit the number of domains for some hypervisors.
+ # A conservative default of 8 tasks per guest results in a TasksMax of
+diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
+index f1792dc..dd0bbab 100644
+--- a/src/locking/virtlockd.service.in
++++ b/src/locking/virtlockd.service.in
+@@ -18,7 +18,7 @@ OOMScoreAdjust=-900
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+
+ [Install]
+ Also=virtlockd.socket
+diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
+index cef4053..8e245dd 100644
+--- a/src/logging/virtlogd.service.in
++++ b/src/logging/virtlogd.service.in
+@@ -18,7 +18,7 @@ OOMScoreAdjust=-900
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+
+ [Install]
+ Also=virtlogd.socket
+diff --git a/src/lxc/virtlxcd.service.in b/src/lxc/virtlxcd.service.in
+index b615a3f..ee3a7f1 100644
+--- a/src/lxc/virtlxcd.service.in
++++ b/src/lxc/virtlxcd.service.in
+@@ -24,7 +24,7 @@ Restart=on-failure
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+ # The cgroups pids controller can limit the number of tasks started by
+ # the daemon, which can limit the number of domains for some hypervisors.
+ # A conservative default of 8 tasks per guest results in a TasksMax of
+diff --git a/src/qemu/virtqemud.service.in b/src/qemu/virtqemud.service.in
+index e3dc738..e79670c 100644
+--- a/src/qemu/virtqemud.service.in
++++ b/src/qemu/virtqemud.service.in
+@@ -26,7 +26,7 @@ Restart=on-failure
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+ # The cgroups pids controller can limit the number of tasks started by
+ # the daemon, which can limit the number of domains for some hypervisors.
+ # A conservative default of 8 tasks per guest results in a TasksMax of
+diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
+index abac58c..84f1613 100644
+--- a/src/remote/libvirtd.service.in
++++ b/src/remote/libvirtd.service.in
+@@ -31,7 +31,7 @@ Restart=on-failure
+ # Raise hard limits to match behaviour of systemd >= 240.
+ # During startup, daemon will set soft limit to match hard limit
+ # per systemd recommendations
+-LimitNOFile=512000:1024
++LimitNOFILE=1024:524288
+ # The cgroups pids controller can limit the number of tasks started by
+ # the daemon, which can limit the number of domains for some hypervisors.
+ # A conservative default of 8 tasks per guest results in a TasksMax of
=====================================
debian/patches/debian/apparmor_profiles_local_include.patch
=====================================
@@ -6,54 +6,39 @@ Include local apparmor profile
Forwarded: not-needed
---
- src/security/apparmor/libvirt-lxc | 3 +++
- src/security/apparmor/libvirt-qemu | 3 +++
- src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in | 1 +
- src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
- 4 files changed, 10 insertions(+)
+ src/security/apparmor/libvirt-lxc.in | 7 +++++++
+ src/security/apparmor/libvirt-qemu.in | 7 +++++++
+ 2 files changed, 14 insertions(+)
-diff --git a/src/security/apparmor/libvirt-lxc b/src/security/apparmor/libvirt-lxc
-index 0c8b812..72278b5 100644
---- a/src/security/apparmor/libvirt-lxc
-+++ b/src/security/apparmor/libvirt-lxc
-@@ -116,3 +116,6 @@
- deny /sys/fs/cgrou[^p]*{,/**} wklx,
- deny /sys/fs/cgroup?*{,/**} wklx,
- deny /sys/fs?*{,/**} wklx,
-+
-+ # Site-specific additions and overrides. See local/README for details.
-+ #include <local/abstractions/libvirt-lxc>
-diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
-index 44056b5..c01c5c6 100644
---- a/src/security/apparmor/libvirt-qemu
-+++ b/src/security/apparmor/libvirt-qemu
-@@ -269,3 +269,6 @@
- # required for QEMU accessing UEFI nvram variables
- owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
- owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
-+
-+ # Site-specific additions and overrides. See local/README for details.
-+ #include <local/abstractions/libvirt-qemu>
-diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-index ff1d46b..5a50823 100644
---- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -71,5 +71,6 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
- /**.[iI][sS][oO] r,
- /**/disk{,.*} r,
+diff --git a/src/security/apparmor/libvirt-lxc.in b/src/security/apparmor/libvirt-lxc.in
+index ffe4d8f..2973b00 100644
+--- a/src/security/apparmor/libvirt-lxc.in
++++ b/src/security/apparmor/libvirt-lxc.in
+@@ -119,4 +119,11 @@
-+ # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.lib.libvirt.virt-aa-helper>
- }
-diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
-index edb8dd8..741f3b2 100644
---- a/src/security/apparmor/usr.sbin.libvirtd.in
-+++ b/src/security/apparmor/usr.sbin.libvirtd.in
-@@ -139,4 +139,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+ @BEGIN_APPARMOR_3@
+ include if exists <abstractions/libvirt-lxc.d>
++
++ ### DEPRECATED ###
++ # Debian-specific override file
++ # Please use <abstractions/libvirt-lxc.d/...> instead
++ # Support for this override will be removed in a future release
++ ### DEPRECATED ###
++ include if exists <local/abstractions/libvirt-lxc>
+ @END_APPARMOR_3@
+diff --git a/src/security/apparmor/libvirt-qemu.in b/src/security/apparmor/libvirt-qemu.in
+index 53f45c3..b5433ea 100644
+--- a/src/security/apparmor/libvirt-qemu.in
++++ b/src/security/apparmor/libvirt-qemu.in
+@@ -274,4 +274,11 @@
- /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
- }
+ @BEGIN_APPARMOR_3@
+ include if exists <abstractions/libvirt-qemu.d>
+
-+ # Site-specific additions and overrides. See local/README for details.
-+ #include <local/usr.sbin.libvirtd>
- }
++ ### DEPRECATED ###
++ # Debian-specific override file
++ # Please use <abstractions/libvirt-qemu.d/...> instead
++ # Support for this override will be removed in a future release
++ ### DEPRECATED ###
++ include if exists <local/abstractions/libvirt-qemu>
+ @END_APPARMOR_3@
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
+backport/src-fix-max-file-limits-in-systemd-services.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
debian/Debianize-libvirt-guests.patch
=====================================
debian/rules
=====================================
@@ -239,9 +239,6 @@ execute_after_dh_auto_install:
mv $(DEB_DESTDIR)/usr/share/polkit-1/rules.d/50-libvirt.rules \
$(DEB_DESTDIR)/usr/share/polkit-1/rules.d/60-libvirt.rules
- # Don't ship any files that are managed by the user only
- rm $(DEB_DESTDIR)/etc/apparmor.d/local/*
-
# Don't ship the CI dashboard, which is not useful as documentation
# triggers the privacy-breach-generic Lintian tag
rm $(DEB_DESTDIR)/usr/share/doc/libvirt/html/ci-dashboard.html
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/cc83f8b0e954c832a335c6eb5a785cf1b4926ac9...9c54c96680a18cf407853d1fed8c39d32e908e06
--
View it on GitLab: https://salsa.debian.org/libvirt-team/libvirt/-/compare/cc83f8b0e954c832a335c6eb5a785cf1b4926ac9...9c54c96680a18cf407853d1fed8c39d32e908e06
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-commits/attachments/20230808/45de5815/attachment-0001.htm>
More information about the Pkg-libvirt-commits
mailing list