[libvirt] virStorageFileGetMetadata bug?
Hi, I'm looking into why virt-aa-helper isn't adding allow rules for backing stores nested deeper than 1. So if I do qemu-img create -f qcow2 l1.img 10G qemu-img create -f qcow2 -b l1.img l2.img and use l2.img in a domain, then virt-aa-helper will add allow rules for the domain to access both l1.img and l2.img. But if I qemu-img create -f qcow2 -b l2.img l3.img and use l3.img in the domain, then l3.img will not get an allow rule. Looking at src/security/virt-aa-helper.c:get_files(), it is doing: if (!disk->src->backingStore) { bool probe = ctl->allowDiskFormatProbing; virStorageFileGetMetadata(disk->src, -1, -1, probe, false); } if (virDomainDiskDefForeachPath(disk, true, add_file_path, &buf) < 0) goto cleanup; and virStorageFileGetMetadata in turn calls virStorageFileGetMetadataRecurse(). So it seems like l3.img *should* be geting hit in virDomainDiskDefForeachPath, but it's not. Am I misunderstanding something in how these helpers should be used? thanks, -serge
On 10/30/2014 02:32 PM, Serge Hallyn wrote:
Hi,
I'm looking into why virt-aa-helper isn't adding allow rules for backing stores nested deeper than 1. So if I do
qemu-img create -f qcow2 l1.img 10G qemu-img create -f qcow2 -b l1.img l2.img
Oops, you forgot the backing format. Without that, libvirt is forced to treat the backing file as raw unless you tweak qemu.conf to allow format probing (which then exposes you to a CVE if probing ever goes wrong). Please add -o backing_fmt={qcow2,raw} as appropriate to each qemu-img create, then try again.
and virStorageFileGetMetadata in turn calls virStorageFileGetMetadataRecurse(). So it seems like l3.img *should* be geting hit in virDomainDiskDefForeachPath, but it's not. Am I misunderstanding something in how these helpers should be used?
You are missing the fact that we refuse to probe a backing file for format, and instead treat it as raw (even if that treatment is wrong), unless explicitly configured to be less safe. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Quoting Eric Blake (eblake@redhat.com):
On 10/30/2014 02:32 PM, Serge Hallyn wrote:
Hi,
I'm looking into why virt-aa-helper isn't adding allow rules for backing stores nested deeper than 1. So if I do
qemu-img create -f qcow2 l1.img 10G qemu-img create -f qcow2 -b l1.img l2.img
Oops, you forgot the backing format. Without that, libvirt is forced to treat the backing file as raw unless you tweak qemu.conf to allow format probing (which then exposes you to a CVE if probing ever goes wrong).
Please add -o backing_fmt={qcow2,raw} as appropriate to each qemu-img create, then try again.
Jinkeys, yup, that fixes it - thanks!
and virStorageFileGetMetadata in turn calls virStorageFileGetMetadataRecurse(). So it seems like l3.img *should* be geting hit in virDomainDiskDefForeachPath, but it's not. Am I misunderstanding something in how these helpers should be used?
You are missing the fact that we refuse to probe a backing file for format, and instead treat it as raw (even if that treatment is wrong), unless explicitly configured to be less safe.
Sounds like the safe thing to do. thanks, -serge
participants (2)
-
Eric Blake -
Serge Hallyn