[Bug 1815910] Re: Apparmor blocks access to /dev/vhost-net

Thu, 14 Feb 2019 07:56:04 -0800 

Repro:
1. Starting a new guest from which I dropped any network (e.g. created via 
uvtool)

2. Check the rendered profile - as expected there is no /dev/vhost-net
$ cat /etc/apparmor.d/libvirt/$(virsh dominfo disco-test-vhost | awk 
'/^Security label:/ {print $3}').files
# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/disco-test-vhost.log" w,
  "/var/lib/libvirt/qemu/domain-disco-test-vhost/monitor.sock" rw,
  "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/*" rw,
  "/var/run/libvirt/**/disco-test-vhost.pid" rwk,
  "/run/libvirt/**/disco-test-vhost.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.disco-test-vhost" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.disco-test-vhost" rw,
  "/var/lib/uvtool/libvirt/images/disco-test-vhost.qcow" rwk,
  
"/var/lib/uvtool/libvirt/images/x-uvt-b64-Y29tLnVidW50dS5jbG91ZC5kYWlseTpzZXJ2ZXI6MTkuMDQ6YW1kNjQgMjAxOTAyMTA="
 rk,
  "/var/lib/uvtool/libvirt/images/disco-test-vhost-ds.qcow" rwk,
  "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/{,**}" rwk,
  "/var/lib/libvirt/qemu/channel/target/domain-1-disco-test-vhost/{,**}" rwk,
  "/var/lib/libvirt/qemu/domain-1-disco-test-vhost/master-key.aes" rwk,

3. try to hot add a vitio vhost-net device (and track dmesg)
$ cat net.xml
    <interface type='network'>
      <mac address='52:54:00:f6:9a:47'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' 
function='0x0'/>
    </interface>
$ virsh attach-device disco-test-vhost net.xml 
error: Failed to attach device from net.xml
error: internal error: unable to execute QEMU command 'getfd': No file 
descriptor supplied via SCM_RIGHTS

And dmesg reports:
audit: type=1400 audit(1550159090.042:133): apparmor="DENIED" 
operation="file_receive" profile="libvirt-236ce1b4-61fd-4aa5-8031-a4df09de5b32" 
name="/dev/vhost-net" pid=22374 comm="qemu-system-x86" requested_mask="wr" 
denied_mask="wr" fsuid=64055 ouid=0

That should be exactly your error, now lets check what security labeling
calls are made ...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1815910

Title:
  Apparmor blocks access to /dev/vhost-net

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815910/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to