Re: [PATCH V2] qemu: Set label on vhostuser net device when hotplugging

Attaching a newly created vhostuser port to a VM fails due to an apparmor denial internal error: unable to execute QEMU command 'chardev-add': Failed to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the underlying chardev is not labeled in qemuDomainAttachNetDevice prior to calling qemuMonitorAttachCharDev. A simple fix would be to call qemuSecuritySetChardevLabel using the embedded virDomainChrSourceDef in the virDomainNetDef vhostuser data, but this incurs the risk of incorrectly restoring the label. E.g. consider the DAC driver behavior with a vhostuser net device, which uses a socket for the chardev backend. The DAC driver uses XATTRS to store original labelling information, but XATTRS are not compatible with sockets. Without the original labelling information, the socket labels will be restored with root ownership, preventing other less-privileged processes from connecting to the socket. This patch avoids overloading chardev labelling with vhostuser net devices by introducing virSecurityManager{Set,Restore}NetdevLabel, which is currently only implemented for the apparmor driver. The new APIs are then used to set and restore labels for the vhostuser net devices. Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; --- V2 of: https://listman.redhat.com/archives/libvir-list/2021-August/msg00373.html Changes since V1: Introduce and use new APIs for labeling net devices Don't perform labelling while executing monitor commands Restore labels if hotplug fails src/libvirt_private.syms | 2 ++ src/qemu/qemu_hotplug.c | 13 +++++++ src/qemu/qemu_security.c | 59 ++++++++++++++++++++++++++++++ src/qemu/qemu_security.h | 8 +++++ src/security/security_apparmor.c | 61 ++++++++++++++++++++++++++++++++ src/security/security_driver.h | 9 +++++ src/security/security_manager.c | 38 ++++++++++++++++++++ src/security/security_manager.h | 8 +++++ src/security/security_stack.c | 52 +++++++++++++++++++++++++++ 9 files changed, 250 insertions(+)