Public bug reported:
$ cat > vhostuser-SF-case.xml << EOF
<interface type='vhostuser'>
<source type='unix' path='/run/test' mode='server'/>
<model type='virtio'/>
<driver queues='2'>
<host mrg_rxbuf='on'/>
</driver>
</interface>
EOF
$ virsh attach-device <anyguest> vhostuser-SF-case.xml
Expect:
- qemu gets sec label added
- qemu creates the new path
Happens:
- qemu gets no apparmor label for the path
- qemu is blocked to create the server socket
Works:
- static attachment (virt-aa-helper will render the apparmor rule)
Workaround:
- use overrides to allow the base path to be accessed via
/etc/apparmor.d/local/abstractions/libvirt-qemu (if available) or
/etc/apparmor.d/abstractions/libvirt-qemu
TODO:
- debug libvirt while doing the hot-add and check if it uses already any
security labeling calls
- if it does but apparmor is missing implement their backend
- if they don't then we need to add a labelling call for the path attribute
of any interface that carrys a type=unix source
** Affects: libvirt (Ubuntu)
Importance: Medium
Status: Triaged
** Affects: libvirt (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: libvirt (Ubuntu Disco)
Importance: Undecided
Status: New
** Affects: libvirt (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: libvirt (Ubuntu Disco)
Importance: Undecided
Status: New
** Changed in: libvirt (Ubuntu)
Status: New => Triaged
** Changed in: libvirt (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1859016
Title:
network in vhostuser server mode not hot-addable due to apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1859016/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
