On 161014-12:11+0300, Aleksei wrote:
...
> 2) Include the following to your Qemu command line. You don't need to 
> manually create tap devices on the host, qemu-bridge-helper script does 
> this for you.
>      -device virtio-net,netdev=internet \
>      -netdev 
> bridge,br=bridge0,id=internet,helper=/usr/lib/qemu/qemu-bridge-helper
> 
> 3) Start VM, post results. Please try to be concise ;)
I thought about this, but what could I cut out from the log that is in
the end of this email, and which I misunderstood at first...

> and post what you 
> are trying to do and actual error messages. Also provide your Qemu version.
$ qemu-system-x86_64 --version
QEMU emulator version 2.7.0, Copyright (c) 2003-2016 Fabrice Bellard and
the QEMU Project developers
$

I set up a bridge, not the iproute2's bridge utility's way (the one thing that
I don't use, yet, from iproute2), but the brctl way, such as:
https://wiki.gentoo.org/wiki/Network_bridge#OpenRC

This is the setup (but read: /usr/share/doc/netifrc-0.4.0/net.example.bz2 if
you run Gentoo, for other distro it's different, can't tell) [the setup]
in Gentoo:

# cat /etc/conf.d/net

modules="!udhcpc !dhclient !pump"

mac_eth0="random-ending"
config_eth0="192.168.2.4 netmask 255.255.255.0"
config_br0="192.168.1.4/24"

brctl_br0="setfd 0"
brctl_br0="sethello 10"

bridge_br0="eth1"
rc_net_br0_need="net.eth1"

mac_eth1="00:0e:2e:fd:24:9c"
config_eth1="192.168.1.4/24"

But it is very specific to Gentoo, or whoever uses netifrc package in their
distro.

Anyway, I got the layer 2, the link layer (IIRC):

# ip l

...
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state 
DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:ac:5c:a9 brd ff:ff:ff:ff:ff:ff
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master 
br0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
...
7: br0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue 
state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff

and I got the layer 3, the internet layer (IIRC):

# ip a

...
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state 
DOWN group default qlen 1000
    link/ether 00:0e:2e:ac:5c:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.4/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
4: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master 
br0 state DOWN group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1d9f:ad47:f44d:8d9e/64 scope link 
       valid_lft forever preferred_lft forever
...
7: br0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc noqueue 
state DOWN group default qlen 1000
    link/ether 00:0e:2e:fd:24:9c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::20e:2eff:fefd:249c/64 scope link 
       valid_lft forever preferred_lft forever

My mistake, several weeks ago when I tried this, but couldn't make it, was to
create tap0 device, instead what Aleksei said, to allow the helper to create
that tap0 device for the Qemu instance.

And this is the command that I started the Qemu with:

$ qemu-system-x86_64 -machine type=q35,accel=kvm -enable-kvm -cpu host \
        -display gtk -m 1024M -device virtio-net,netdev=internet -netdev
        bridge,br=br0,id=internet,helper=/usr/libexec/qemu-bridge-helper
        devuan_jessie_1.0.0-beta_amd64_cloud.qcow2 

Just the helper=/usr/libexec/qemu-bridge-helper is a different string than
what Aleksei suggested (it is not in /usr/lib/qemu/qemu-bridge-helper).

Must not forget to say, that I had to enable learning in the grsecurity policy
with adding this to /etc/grsec/policy:

# Role: miro
subject  /usr/libexec/qemu-bridge-helper ol
        /                               h
        -CAP_ALL
        bind    disabled
        connect disabled

However, a grsecurity-hardened system usually asks for even more care. It
protects you very well, but is quite a handful...

Here are the logs. And, of course, solving that remaining issue is a
grsecurity issue, not anymore qemu issue.

I think the issue of setting up the network card for qemu to use is solved.
I'll only try and give a link, for completeness, once I hopefully solve the
remaining issue with grsecurity.

UPDATE: No, it isn't solved, but it wouldn't fit in this email. And I already
wrote all of this. Pls. continuation should follow soon.
---
So here are the logs (tried to cut more out, but was unsure)):
----

Oct 16 04:17:13 g0n kernel: [166436.946935] grsec: 
(miro:U:/usr/bin/qemu-system-x86_64) exec of /usr/bin/qemu-system-x86_64 
(qemu-system-x86_64 -machine type=q35,accel=kvm -enable-kvm -cpu host -display 
gtk -m 1024M -device virtio-net,netdev=internet -n) by 
/usr/bin/qemu-system-x86_64[bash:8537] uid/euid:1000/1000 gid/egid:1000/1000, 
parent /bin/bash[bash:7730] uid/euid:1000/1000 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.088649] grsec: 
(miro:U:/usr/libexec/qemu-bridge-helper) exec of 
/usr/libexec/qemu-bridge-helper (/usr/libexec/qemu-bridge-helper --use-vnet 
--fd=14 --br=br0 ) by /usr/libexec/qemu-bridge-helper[qemu-system-x86:8539] 
uid/euid:1000/1000 gid/egid:1000/1000, parent 
/usr/bin/qemu-system-x86_64[qemu-system-x86:8537] uid/euid:1000/1000 
gid/egid:1000/1000
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied

...[   9 lines like the above cut ]...

Oct 16 04:17:14 g0n kernel: [166437.091526] br0: port 2(tap0) entered blocking 
state
Oct 16 04:17:14 g0n kernel: [166437.091530] br0: port 2(tap0) entered disabled 
state
Oct 16 04:17:14 g0n kernel: [166437.091593] device tap0 entered promiscuous mode
Oct 16 04:17:14 g0n kernel: [166437.091780] br0: port 2(tap0) entered blocking 
state
Oct 16 04:17:14 g0n kernel: [166437.091782] br0: port 2(tap0) entered 
forwarding state
Oct 16 04:17:14 g0n kernel: [166437.091975] grsec: (root:U:/sbin/dhcpcd) denied 
open of /proc/sys/net/ipv4/conf/tap0/promote_secondaries for writing by 
/sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] 
uid/euid:0/0 gid/egid:0/0

...[   3 lines like the above cut ]...

Oct 16 04:17:14 g0n kernel: [166437.093061] grsec: more alerts, logging 
disabled for 10 seconds
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:14 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:14 g0n kernel: [166437.117118] grsec: (root:U:/) exec of 
/lib64/udev/net.sh (/lib/udev/net.sh tap0 start ) by 
/lib64/udev/net.sh[udevd:8541] uid/euid:0/0 gid/egid:0/0, parent 
/sbin/udevd[udevd:8540] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:14 g0n kernel: [166437.251692] grsec: (miro:U:/bin/bash) exec of 
/bin/bash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 
"The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by 
/bin/bash[X:8546] uid/euid:1000/1000 gid/egid:1000/1000, parent 
/usr/bin/Xorg[X:3762] uid/euid:1000/0 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.256460] grsec: (miro:U:/) exec of 
/usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The 
XKEYBOARD keymap compiler (xkbcomp) reports: -emp >  -eml Errors from) by 
/usr/bin/xkbcomp[sh:8546] uid/euid:1000/1000 gid/egid:1000/1000, parent 
/usr/bin/Xorg[X:3762] uid/euid:1000/0 gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.289064] grsec: (miro:U:/) chdir to 
/usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:8546] uid/euid:1000/1000 
gid/egid:1000/1000, parent /usr/bin/Xorg[X:3762] uid/euid:1000/0 
gid/egid:1000/1000
Oct 16 04:17:14 g0n kernel: [166437.496711] kvm: zapping shadow pages for mmio 
generation wraparound
Oct 16 04:17:14 g0n kernel: [166437.498685] kvm: zapping shadow pages for mmio 
generation wraparound
Oct 16 04:17:18 g0n kernel: [166441.484107] kvm [8537]: vcpu0, guest rIP: 
0xffffffff81051ab2 unhandled rdmsr: 0xc0010048
Oct 16 04:17:19 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:21 g0n kernel: [166444.923022] kvm [8537]: vcpu0, guest rIP: 
0xffffffff81051ab2 unhandled rdmsr: 0x3a
Oct 16 04:17:21 g0n kernel: [166444.923050] kvm [8537]: vcpu0, guest rIP: 
0xffffffff81051ab2 unhandled rdmsr: 0xd90
Oct 16 04:17:23 g0n kernel: [166446.914901] mrfw_dropIN=br0 OUT= PHYSIN=tap0 
MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC=0.0.0.0 DST=255.255.255.255 
LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:25 g0n kernel: [166448.056851] grsec: 
(root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks 
(/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:8577] 
uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.062714] grsec: (root:U:/bin/rm) exec of 
/bin/rm (rm -f /run/dhcpcd/resolv.conf/br0.ra ) by 
/bin/rm[dhcpcd-run-hook:8578] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.065854] grsec: 
(root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8580] uid/euid:0/0 gid/egid:0/0, 
parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.066463] grsec: (root:U:/) exec of /bin/sed 
(sed -n s/^domain //p br0.dhcp br0.dhcp6 br0.ra ) by 
/bin/sed[dhcpcd-run-hook:8581] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8580] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.068624] grsec: 
(root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8582] uid/euid:0/0 gid/egid:0/0, 
parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.069095] grsec: (root:U:/) exec of /bin/sed 
(sed -n s/^search //p br0.dhcp br0.dhcp6 br0.ra ) by 
/bin/sed[dhcpcd-run-hook:8583] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8582] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.070879] grsec: 
(root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8584] uid/euid:0/0 gid/egid:0/0, 
parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.071328] grsec: (root:U:/) exec of /bin/sed 
(sed -n s/^nameserver //p br0.dhcp br0.dhcp6 br0.ra ) by 
/bin/sed[dhcpcd-run-hook:8585] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8584] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.074543] grsec: (root:U:/) exec of 
/usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.br0.ra ) by 
/usr/bin/cmp[dhcpcd-run-hook:8587] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.075666] grsec: (root:U:/bin/rm) exec of 
/bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by 
/bin/rm[dhcpcd-run-hook:8588] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.076639] grsec: (root:U:/bin/rm) exec of 
/bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by 
/bin/rm[dhcpcd-run-hook:8589] uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8577] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:25 g0n kernel: [166448.079243] grsec: (root:U:/bin/hostname) exec 
of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:8591] 
uid/euid:0/0 gid/egid:0/0, parent 
/lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:8590] uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:26 g0n kernel: [166449.177067] mrfw_dropIN=br0 OUT= PHYSIN=tap0 
MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC=0.0.0.0 DST=255.255.255.255 
LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:26 g0n kernel: [166449.356912] mrfw_dropIN=br0 OUT= PHYSIN=eth1 
MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 
DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 
DPT=68 LEN=556 
Oct 16 04:17:29 g0n dhcpcd[7442]: tap0: if_init: Permission denied
Oct 16 04:17:29 g0n kernel: [166452.124642] grsec: (root:U:/sbin/dhcpcd) denied 
open of /proc/sys/net/ipv4/conf/tap0/promote_secondaries for writing by 
/sbin/dhcpcd[dhcpcd:7442] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] 
uid/euid:0/0 gid/egid:0/0
Oct 16 04:17:33 g0n kernel: [166456.186541] mrfw_dropIN=br0 OUT= PHYSIN=tap0 
MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC=0.0.0.0 DST=255.255.255.255 
LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:45 g0n kernel: [166468.386463] mrfw_dropIN=br0 OUT= PHYSIN=tap0 
MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC=0.0.0.0 DST=255.255.255.255 
LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:17:58 g0n kernel: [166481.715249] mrfw_dropIN=br0 OUT= PHYSIN=eth1 
MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 
DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 
DPT=68 LEN=556 
Oct 16 04:18:06 g0n kernel: [166489.910925] mrfw_dropIN=br0 OUT= PHYSIN=tap0 
MAC=ff:ff:ff:ff:ff:ff:52:54:00:12:34:56:08:00 SRC=0.0.0.0 DST=255.255.255.255 
LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Oct 16 04:18:10 g0n kernel: [166493.027352] grsec: (root:U:/etc/cron.daily) 
exec of /bin/date (date +%y%m%d_%H ) by /bin/date[yclamscan:8602] uid/euid:0/0 
gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:8601] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:18:10 g0n kernel: [166493.031206] grsec: (root:U:/etc/cron.daily) 
exec of /bin/hostname (hostname ) by /bin/hostname[yclamscan:8603] uid/euid:0/0 
gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:8601] uid/euid:0/0 
gid/egid:0/0
Oct 16 04:18:10 g0n kernel: [166493.033980] grsec: (root:U:/etc/cron.daily) 
exec of /usr/bin/clamscan (/usr/bin/clamscan -r -i --detect-pua=yes 
--detect-structured=yes --phishing-sigs=yes --cross-fs=no /Cmn ) by 
/usr/bin/clamscan[yclamscan:8601] uid/euid:0/0 gid/egid:0/0, parent 
/etc/cron.daily/yclamscan[yclamscan:4853] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:29 g0n kernel: [166512.519690] br0: port 2(tap0) entered disabled 
state
Oct 16 04:18:29 g0n kernel: [166512.519935] device tap0 left promiscuous mode
Oct 16 04:18:29 g0n kernel: [166512.519950] br0: port 2(tap0) entered disabled 
state
Oct 16 04:18:29 g0n kernel: [166512.522496] grsec: (root:U:/) exec of 
/lib64/udev/net.sh (/lib/udev/net.sh tap0 stop ) by 
/lib64/udev/net.sh[udevd:8640] uid/euid:0/0 gid/egid:0/0, parent 
/sbin/udevd[udevd:8636] uid/euid:0/0 gid/egid:0/0
Oct 16 04:18:32 g0n kernel: [166515.032489] sky2 0000:06:00.0 eth1: Link is down
Oct 16 04:18:32 g0n dhcpcd[7442]: eth1: carrier lost
Oct 16 04:18:32 g0n kernel: [166515.033919] br0: port 1(eth1) entered disabled 
state

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: Digital signature

Reply via email to