Re: [PATCH] apparmor: allow libvirtd to call virtiofsd
On Mon, Aug 24, 2020 at 2:21 PM Christian Ehrhardt
wrote:
>
> On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke wrote:
> >
> > When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> > filesystem access on the host. When a guest is configured with
> > virtiofs, such as:
> >
> >
> >
> >
> >
> >
> >
> > Attempting to start the guest fails with:
> >
> > internal error: virtiofsd died unexpectedly
> >
> > /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
> >
> > libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd:
> > Permission denied
> >
> > dmesg contains:
> >
> > audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
> > operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd"
> > pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0
> > ouid=0
I was prepping to commit this sometime soon and for my own testing -
while doing so I realized this line is very long.
While https://libvirt.org/submitting-patches.html doesn't mention a
limit it is generally useful to wrap at 72 or at least 80 chars.
This can be done by the committer, but obviously is less work for
everyone if wrapped from the start.
> >
> > To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> > profile.
> >
> > [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> > [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
>
> The added rule and reasoning LGTM,
> Reviewed-by: Christian Ehrhardt
>
> P.S. I'm also adding Jamie for his extra depth on apparmor topics.
>
> > Signed-off-by: Kevin Locke
> > ---
> > src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
> > b/src/security/apparmor/usr.sbin.libvirtd.in
> > index 4518e8f865..f2030764cd 100644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> > @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd
> > flags=(attach_disconnected) {
> >/usr/lib/xen-*/bin/libxl-save-helper PUx,
> >/usr/lib/xen-*/bin/pygrub PUx,
> >/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> > + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
> >
> ># Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> ># read and run an ebtables script.
> > --
> > 2.28.0
> >
>
>
> --
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
Re: [PATCH] apparmor: allow libvirtd to call virtiofsd
On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke wrote:
>
> When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> filesystem access on the host. When a guest is configured with
> virtiofs, such as:
>
>
>
>
>
>
>
> Attempting to start the guest fails with:
>
> internal error: virtiofsd died unexpectedly
>
> /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
>
> libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd:
> Permission denied
>
> dmesg contains:
>
> audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
> operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007
> comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt
P.S. I'm also adding Jamie for his extra depth on apparmor topics.
> Signed-off-by: Kevin Locke
> ---
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
> b/src/security/apparmor/usr.sbin.libvirtd.in
> index 4518e8f865..f2030764cd 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd
> flags=(attach_disconnected) {
>/usr/lib/xen-*/bin/libxl-save-helper PUx,
>/usr/lib/xen-*/bin/pygrub PUx,
>/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
># Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
># read and run an ebtables script.
> --
> 2.28.0
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
[PATCH] apparmor: allow libvirtd to call virtiofsd
When using [virtiofs], libvirtd must launch [virtiofsd] to provide
filesystem access on the host. When a guest is configured with
virtiofs, such as:
Attempting to start the guest fails with:
internal error: virtiofsd died unexpectedly
/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission
denied
dmesg contains:
audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007
comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
profile.
[virtiofs]: https://libvirt.org/kbase/virtiofs.html
[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
Signed-off-by: Kevin Locke
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index 4518e8f865..f2030764cd 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd
flags=(attach_disconnected) {
/usr/lib/xen-*/bin/libxl-save-helper PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+ /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.
--
2.28.0
