Re: [PATCH] apparmor: allow libvirtd to call virtiofsd
On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin(a)kevinlocke.name> wrote:
When using [virtiofs], libvirtd must launch [virtiofsd] to provide
filesystem access on the host. When a guest is configured with
virtiofs, such as:
<filesystem type='mount' accessmode='passthrough'>
<driver type='virtiofs'/>
<source dir='/path'/>
<target dir='mount_tag'/>
</filesystem>
Attempting to start the guest fails with:
internal error: virtiofsd died unexpectedly
/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied
dmesg contains:
audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
operation="exec" profile="libvirtd"
name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
profile.
[virtiofs]: https://libvirt.org/kbase/virtiofs.html
[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
P.S. I'm also adding Jamie for his extra depth on apparmor topics.
Signed-off-by: Kevin Locke <kevin(a)kevinlocke.name>
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
index 4518e8f865..f2030764cd 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
/usr/lib/xen-*/bin/libxl-save-helper PUx,
/usr/lib/xen-*/bin/pygrub PUx,
/usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+ /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
# read and run an ebtables script.
--
2.28.0
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd