On 8/19/21 12:57 AM, Jim Fehlig wrote:
Attaching a newly created vhostuser port to a VM fails due to an apparmor denial
internal error: unable to execute QEMU command 'chardev-add': Failed to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied
In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the underlying chardev is not labeled in qemuDomainAttachNetDevice prior to calling qemuMonitorAttachCharDev.
A simple fix would be to call qemuSecuritySetChardevLabel using the embedded virDomainChrSourceDef in the virDomainNetDef vhostuser data, but this incurs the risk of incorrectly restoring the label. E.g. consider the DAC driver behavior with a vhostuser net device, which uses a socket for the chardev backend. The DAC driver uses XATTRS to store original labelling information, but XATTRS are not compatible with sockets. Without the original labelling information, the socket labels will be restored with root ownership, preventing other less-privileged processes from connecting to the socket.
This patch avoids overloading chardev labelling with vhostuser net devices by introducing virSecurityManager{Set,Restore}NetdevLabel, which is currently only implemented for the apparmor driver. The new APIs are then used to set and restore labels for the vhostuser net devices.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> ---
V2 of: https://listman.redhat.com/archives/libvir-list/2021-August/msg00373.html
Changes since V1: Introduce and use new APIs for labeling net devices Don't perform labelling while executing monitor commands Restore labels if hotplug fails
src/libvirt_private.syms | 2 ++ src/qemu/qemu_hotplug.c | 13 +++++++ src/qemu/qemu_security.c | 59 ++++++++++++++++++++++++++++++ src/qemu/qemu_security.h | 8 +++++ src/security/security_apparmor.c | 61 ++++++++++++++++++++++++++++++++ src/security/security_driver.h | 9 +++++ src/security/security_manager.c | 38 ++++++++++++++++++++ src/security/security_manager.h | 8 +++++ src/security/security_stack.c | 52 +++++++++++++++++++++++++++ 9 files changed, 250 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal