[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] apparmor: allow libvirtd to call virtiofsd



On Mon, Aug 24, 2020 at 2:21 PM Christian Ehrhardt
<christian ehrhardt canonical com> wrote:
>
> On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin kevinlocke name> wrote:
> >
> > When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> > filesystem access on the host.  When a guest is configured with
> > virtiofs, such as:
> >
> >     <filesystem type='mount' accessmode='passthrough'>
> >       <driver type='virtiofs'/>
> >       <source dir='/path'/>
> >       <target dir='mount_tag'/>
> >     </filesystem>
> >
> > Attempting to start the guest fails with:
> >
> >     internal error: virtiofsd died unexpectedly
> >
> > /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
> >
> >     libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied
> >
> > dmesg contains:
> >
> >     audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

I was prepping to commit this sometime soon and for my own testing -
while doing so I realized this line is very long.
While https://libvirt.org/submitting-patches.html doesn't mention a
limit it is generally useful to wrap at 72 or at least 80 chars.
This can be done by the committer, but obviously is less work for
everyone if wrapped from the start.

> >
> > To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> > profile.
> >
> > [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> > [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
>
> The added rule and reasoning LGTM,
> Reviewed-by: Christian Ehrhardt <christian ehrhardt canonical com>
>
> P.S. I'm also adding Jamie for his extra depth on apparmor topics.
>
> > Signed-off-by: Kevin Locke <kevin kevinlocke name>
> > ---
> >  src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> > index 4518e8f865..f2030764cd 100644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> > @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> >    /usr/lib/xen-*/bin/libxl-save-helper PUx,
> >    /usr/lib/xen-*/bin/pygrub PUx,
> >    /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> > +  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
> >
> >    # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> >    # read and run an ebtables script.
> > --
> > 2.28.0
> >
>
>
> --
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd



-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]