Re: [PATCH] apparmor: allow libvirtd to call virtiofsd

Mon, 24 Aug 2020 05:29:44 -0700 

On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <ke...@kevinlocke.name> wrote:
>
> When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> filesystem access on the host.  When a guest is configured with
> virtiofs, such as:
>
>     <filesystem type='mount' accessmode='passthrough'>
>       <driver type='virtiofs'/>
>       <source dir='/path'/>
>       <target dir='mount_tag'/>
>     </filesystem>
>
> Attempting to start the guest fails with:
>
>     internal error: virtiofsd died unexpectedly
>
> /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
>
>     libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd: 
> Permission denied
>
> dmesg contains:
>
>     audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" 
> operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 
> comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html

The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt <christian.ehrha...@canonical.com>

P.S. I'm also adding Jamie for his extra depth on apparmor topics.

> Signed-off-by: Kevin Locke <ke...@kevinlocke.name>
> ---
>  src/security/apparmor/usr.sbin.libvirtd.in | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in 
> b/src/security/apparmor/usr.sbin.libvirtd.in
> index 4518e8f865..f2030764cd 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd 
> flags=(attach_disconnected) {
>    /usr/lib/xen-*/bin/libxl-save-helper PUx,
>    /usr/lib/xen-*/bin/pygrub PUx,
>    /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> +  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
>    # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
>    # read and run an ebtables script.
> --
> 2.28.0
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

Reply via email to