Re: [libvirt] Libvirt fails to apply security context to fd/node to USB device

Tue, 23 Jan 2018 12:20:16 -0800 

Hi Michael,


Thanks for looking at the submission. I've made the proposed changes and can 
verify that the fix works. :)


There error has gone away with the container starting. Below is a snippet of 
the device node from the intermediate mount namespace that eventually ends up 
target container's mount namespace:
$ sudo nsenter -t 7397 -m
# ls -laZ /var/run/libvirt/lxc/lxc_0.dev/bus/usb/001/002
crwx------. 1 root root system_u:object_r:svirt_sandbox_file_t:s0:c600,c910 
189, 1 Jan 23 14:55 /var/run/libvirt/lxc/lxc_0.dev/bus/usb/001/002

Thanks,

Randy


________________________________
From: Michal Privoznik <mpriv...@redhat.com>
Sent: Friday, January 19, 2018 11:19 AM
To: Randy Aybar; libvir-list@redhat.com
Subject: Re: [libvirt] Libvirt fails to apply security context to fd/node to 
USB device

On 01/16/2018 07:20 PM, Randy Aybar wrote:
> Hi,
>
>
> I'm attempting to attach and expose a USB device (WiFi adapter for testing) 
> to an LXC container with SELinux enabled. But when enabling the XML snippet, 
> the container fails to start with this error:
>
>
> 2018-01-12 19:24:31.914+0000: 2181: error : 
> virSecuritySELinuxSetFileconHelper:1182 : unable to set security context 
> 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on 
> '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file 
> or directory
>
> Failure in libvirt_lxc startup: unable to set security context 
> 'system_u:object_r:svirt_sandbox_file_t:s0:c139,c284' on 
> '//var/run/libvirt/lxc/lxc_0.dev/bus/usb//dev/bus/usb/002/002': No such file 
> or directory

Yes, this is a libvirt bug. And your analysis is coorect. The problem is:

1) in virLXCControllerSetupHostdevSubsysUSB the first part of path is
constructed: vroot = /var/run/libvirt/lxc/lxc_0.dev/bus/usb

2) then, virSecurityManagerSetHostdevLabel() is called, which
subsequently calls virSecuritySELinuxSetHostdevSubsysLabel().

3) The SELinuxSetHostdevSubsysLabel() calls virUSBDeviceNew(..,vroot)
where vroot is the path from step 1). The virUSBDeviceNew then does:

    if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d",
                    vroot ? vroot : "",
                    dev->bus, dev->dev) < 0) {
        virUSBDeviceFree(dev);
        return NULL;
    }

where USB_DEVFS is defined as:

# define USB_DEVFS "/dev/bus/usb/"

So in the end, dev->path contains the path that you're seeing. I think
this the fix:

diff --git a/src/util/virusb.c b/src/util/virusb.c
index 6359235ff..99ee08657 100644
--- a/src/util/virusb.c
+++ b/src/util/virusb.c
@@ -343,9 +343,9 @@ virUSBDeviceNew(unsigned int bus,
         virUSBDeviceFree(dev);
         return NULL;
     }
-    if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d",
-                    vroot ? vroot : "",
-                    dev->bus, dev->dev) < 0) {
+
+    if ((vroot && virAsprintf(&dev->path, "%s/%03d/%03d", vroot, dev->bus, 
dev->dev) < 0) ||
+        (!vroot && virAsprintf(&dev->path, USB_DEVFS "%03d/%03d", dev->bus, 
dev->dev) < 0)) {
         virUSBDeviceFree(dev);
         return NULL;
     }

(of course after breaking down the long lines). Can you please test it?

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to