Bug 1125665 - libvirt regression: can't start domains in qemu:///session -- prctl failed to enable 'dac_override' in the AMBIENT set
libvirt regression: can't start domains in qemu:///session -- prctl failed to...
Status: VERIFIED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Virtualization:Other
Current
Other openSUSE Factory
: P5 - None : Major (vote)
: ---
Assigned To: James Fehlig
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-16 15:38 UTC by Javier de San Pedro
Modified: 2019-04-29 01:11 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Javier de San Pedro 2019-02-16 15:38:09 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Build Identifier: 

This is regression in the current version of the libvirt package. The following patch was pulled from upstream in the package about 8 days ago:

a2d3dea9-qemu-caps-dac-override-sev.patch

This patch makes libvirt ask for the 'dac_override' capability during domain startup. This capability will NOT be granted to a non-root qemu, so libvirt aborts. 

I have manually verified that removing this patch from libvirt package fixes the issue and I can start my qemu:///session domains normally. 

My impression is that this capability should only be asked if getuid == 0.

Reproducible: Always

Steps to Reproduce:
1. Create a "qemu user session" libvirt VM using any of the available tools (GNOME Boxes, virt-manager, etc.)
2. Start that VM either from the GUI or through 'virsh -c qemu:///session start $VM'
Actual Results:  
libvirt:  Error : prctl failed to enable 'dac_override' in the AMBIENT set: Operation not permitted


I am not sure whether I should report this bug upstream too, as I'm not sure the issue happens on other distros. Tumbleweed is the only one I have whether this patch is currently merged.
Comment 1 Javier de San Pedro 2019-02-17 15:27:46 UTC
The above mentioned patch causing the regression was to fix boo #1124842 , but I cannot access that bug.
Comment 2 James Fehlig 2019-02-20 01:28:37 UTC
Thanks for the report. I missed a followup patch when backporting the SEV device perms patch series, namely commit 620d9dd5. I've added it to the libvirt 5.0.0 package and submitted to Factory.
Comment 4 Javier de San Pedro 2019-02-28 20:32:20 UTC
Verified working as of Tumbleweed 20190226
Comment 12 Swamp Workflow Management 2019-04-15 13:13:39 UTC
SUSE-SU-2019:0948-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1081516,1102604,1112182,1120813,1125665,1126325,1127458,1131595
CVE References: CVE-2019-3840,CVE-2019-3886
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libvirt-4.0.0-8.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    libvirt-4.0.0-8.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libvirt-4.0.0-8.9.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-04-29 01:11:47 UTC
openSUSE-SU-2019:1288-1: An update that solves one vulnerability and has 15 fixes is now available.

Category: security (important)
Bug References: 1081516,1102604,1104662,1106420,1108086,1108395,1112182,1117058,1118952,1120813,1123642,1124667,1125665,1126325,1127458,1130129
CVE References: CVE-2019-3840
Sources used:
openSUSE Leap 15.0 (src):    libvirt-4.0.0-lp150.7.10.4