On Mon, Aug 24, 2020 at 2:21 PM Christian Ehrhardt
<christian.ehrhardt(a)canonical.com> wrote:
On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin(a)kevinlocke.name> wrote:
>
> When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> filesystem access on the host. When a guest is configured with
> virtiofs, such as:
>
> <filesystem type='mount' accessmode='passthrough'>
> <driver type='virtiofs'/>
> <source dir='/path'/>
> <target dir='mount_tag'/>
> </filesystem>
>
> Attempting to start the guest fails with:
>
> internal error: virtiofsd died unexpectedly
>
> /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
>
> libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission
denied
>
> dmesg contains:
>
> audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
operation="exec" profile="libvirtd"
name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
I was prepping to commit this sometime soon and for my own testing -
while doing so I realized this line is very long.
While
https://libvirt.org/submitting-patches.html doesn't mention a
limit it is generally useful to wrap at 72 or at least 80 chars.
This can be done by the committer, but obviously is less work for
everyone if wrapped from the start.
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]:
https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]:
https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt <christian.ehrhardt(a)canonical.com>
P.S. I'm also adding Jamie for his extra depth on apparmor topics.
> Signed-off-by: Kevin Locke <kevin(a)kevinlocke.name>
> ---
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in
b/src/security/apparmor/usr.sbin.libvirtd.in
> index 4518e8f865..f2030764cd 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> /usr/lib/xen-*/bin/libxl-save-helper PUx,
> /usr/lib/xen-*/bin/pygrub PUx,
> /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> # read and run an ebtables script.
> --
> 2.28.0
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd