** Description changed: [Impact] * An infrequent but annoying issue is QEMUs problem to not be able to hot-add capabilities IF since starting the instance qemu has been upgraded. This is due to qemu modules only working with exactly the same build. - * TBD this particular change + * The problem is that the path everyone (upstream+security) agreed + to put the files in is mounted noexec by default in Ubuntu preventing + to load the .so from there. + + * In new versions this is solved via a .mount unit which is great for + transparency and control e.g. opt in/out of this. But for the SRU + after backporting the mount unit at first it was decided that a rather + simple "check and tmp-mount if needed" is more resilient, less complex + (mount unit handling by systemd/dh* is vastly different across + releases) and would have less regression risk for scenarios + were the admin has already made the path non noexec. + [Test Case] I: * $ apt install uvtool-libvirt $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=bionic $ uvt-kvm create --password ubuntu lateload arch=amd64 release=bionic label=daily cat > curldisk.xml << EOF <disk type='network' device='disk'> <driver name='qemu' type='raw'/> <source protocol="http" name="ubuntu/dists/bionic-updates/main/installer-amd64/current/images/netboot/mini.iso"> <host name="archive.ubuntu.com" port="80"/> </source> <target dev='vdc' bus='virtio'/> <readonly/> </disk> EOF # Here up or downgrade the installed packages, even a minor # version or a rebuild of the same version # Instead if you prefer (easier) you can run $ apt install --reinstall qemu-* Next check if they appeared (action of the maintainer scripts) in the /var/run/qemu/<version> directory # And then rm/mv the original .so files of qemu-block-extra $ sudo mv /usr/lib/x86_64-linux-gnu/qemu/block-curl.so /usr/lib/x86_64-linux-gnu/qemu/block-curl.so.nothere # Trying to load a .so now would after an upgrade fail as the old qemu can't load the build id Without the fix this will now fail some way, e.g. on Focal with: $ virsh attach-device lateload curldisk.xml Reported issue happens on attach: root@b:~# virsh attach-device lateload cdrom-curl.xml error: Failed to attach device from curldisk.xml error: internal error: unable to execute QEMU command 'blockdev-add': Unknown driver 'http' That attach should work on >Focal and also one can also check files mapped into a process and we should see the /var/run/.. path being used now. $ sudo cat /proc/$(pidof qemu-system-x86_64)/maps | grep curl The original file path: 7f619941b000-7f619941c000 rw-p 00005000 fc:01 258107 /usr/lib/x86_64-linux-gnu/qemu/block-curl.so But since we moved that way before being loaded it should point to /run/qemu/... this time. II: * As it had issues in the first iteration of the fix worth a try is also the use of an environment var for an extra path: $ QEMU_MODULE_DIR="/tmp/" qemu-system-x86_64 -cdrom localhost::/foo [Regression Potential] Via extensive discussion we tried to find the least regression-risk way but still the most likely regression would be where administrators have taken means to modify/prepare /run/qemu themselves which might now collide. [Other Info] In Focal there were a few more (effectively no-op) mistakes which are cleaned up by this as well. It did save gui modules (not present in bionic, not wrong in hirsute) that can not be late loaded, so there is no point in saving them. Furthermore it had (bad patch match) enabled the feature on the qemu-system-x86-xen builds which have no use-case for this. --- This is a continuation of bug 1847361. Since that is in Ubuntu and Debian we are: - correctly saving the modules to those paths in /var/run/qemu. - qemu tries to load from that path as fallback - that works fine in containers running qemu/kvm But there is an issue on non-container systems as /run usually is like this: tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=3274920k,mode=755) The important bit here is the "noexec" which is intentional (for security reasons), but prevents the loading of shared objects from that path. The path is good for many reasons (it is auto-cleaned, upstream and Distros agreed to this one path, ...). Moving it to other places also quite likely might have unpredictable options. In a discussion between Victor (thanks for all the pushign and inpot on this) and Marc (security POV) we have come to a solution that will make just the subpath that is owned by qemu to not have noexec set. This bug shall track preparing this fix for Debian / Ubuntu and the latter SRu considerations on the same.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913421 Title: Load of pre-upgrade qemu modules needs to avoid noexec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1913421/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
