Attaching a newly created vhostuser port to a VM fails due to an
apparmor denial
internal error: unable to execute QEMU command 'chardev-add': Failed
to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied
In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the
underlying chardev is not labeled in qemuDomainAttachNetDevice prior
to calling qemuMonitorAttachCharDev.
A simple fix would be to call qemuSecuritySetChardevLabel using the
embedded virDomainChrSourceDef in the virDomainNetDef vhostuser data,
but this incurs the risk of incorrectly restoring the label. E.g.
consider the DAC driver behavior with a vhostuser net device, which
uses a socket for the chardev backend. The DAC driver uses XATTRS to
store original labelling information, but XATTRS are not compatible
with sockets. Without the original labelling information, the socket
labels will be restored with root ownership, preventing other
less-privileged processes from connecting to the socket.
This patch avoids overloading chardev labelling with vhostuser net
devices by introducing virSecurityManager{Set,Restore}NetdevLabel,
which is currently only implemented for the apparmor driver. The
new APIs are then used to set and restore labels for the vhostuser
net devices.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
V2 of:
https://listman.redhat.com/archives/libvir-list/2021-August/msg00373.html
Changes since V1:
Introduce and use new APIs for labeling net devices
Don't perform labelling while executing monitor commands
Restore labels if hotplug fails
src/libvirt_private.syms | 2 ++
src/qemu/qemu_hotplug.c | 13 +++++++
src/qemu/qemu_security.c | 59 ++++++++++++++++++++++++++++++
src/qemu/qemu_security.h | 8 +++++
src/security/security_apparmor.c | 61 ++++++++++++++++++++++++++++++++
src/security/security_driver.h | 9 +++++
src/security/security_manager.c | 38 ++++++++++++++++++++
src/security/security_manager.h | 8 +++++
src/security/security_stack.c | 52 +++++++++++++++++++++++++++
9 files changed, 250 insertions(+)