On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin@kevinlocke.name> wrote:
When using [virtiofs], libvirtd must launch [virtiofsd] to provide filesystem access on the host. When a guest is configured with virtiofs, such as:
<filesystem type='mount' accessmode='passthrough'> <driver type='virtiofs'/> <source dir='/path'/> <target dir='mount_tag'/> </filesystem>
Attempting to start the guest fails with:
internal error: virtiofsd died unexpectedly
/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied
dmesg contains:
audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
To avoid this, allow execution of virtiofsd from the libvirtd AppArmor profile.
[virtiofs]: https://libvirt.org/kbase/virtiofs.html [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM, Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> P.S. I'm also adding Jamie for his extra depth on apparmor topics.
Signed-off-by: Kevin Locke <kevin@kevinlocke.name> --- src/security/apparmor/usr.sbin.libvirtd.in | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 4518e8f865..f2030764cd 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { /usr/lib/xen-*/bin/libxl-save-helper PUx, /usr/lib/xen-*/bin/pygrub PUx, /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx, + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to # read and run an ebtables script. -- 2.28.0
-- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd