[PATCH] apparmor: allow libvirtd to call virtiofsd

Christian Ehrhardt christian.ehrhardt at canonical.com
Tue Aug 25 13:15:00 UTC 2020 

On Mon, Aug 24, 2020 at 2:21 PM Christian Ehrhardt
<christian.ehrhardt at canonical.com> wrote:
>
> On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin at kevinlocke.name> wrote:
> >
> > When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> > filesystem access on the host.  When a guest is configured with
> > virtiofs, such as:
> >
> >     <filesystem type='mount' accessmode='passthrough'>
> >       <driver type='virtiofs'/>
> >       <source dir='/path'/>
> >       <target dir='mount_tag'/>
> >     </filesystem>
> >
> > Attempting to start the guest fails with:
> >
> >     internal error: virtiofsd died unexpectedly
> >
> > /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
> >
> >     libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied
> >
> > dmesg contains:
> >
> >     audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

I was prepping to commit this sometime soon and for my own testing -
while doing so I realized this line is very long.
While https://libvirt.org/submitting-patches.html doesn't mention a
limit it is generally useful to wrap at 72 or at least 80 chars.
This can be done by the committer, but obviously is less work for
everyone if wrapped from the start.

> >
> > To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> > profile.
> >
> > [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> > [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
>
> The added rule and reasoning LGTM,
> Reviewed-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>
> P.S. I'm also adding Jamie for his extra depth on apparmor topics.
>
> > Signed-off-by: Kevin Locke <kevin at kevinlocke.name>
> > ---
> >  src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> > index 4518e8f865..f2030764cd 100644
> > --- a/src/security/apparmor/usr.sbin.libvirtd.in
> > +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> > @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> >    /usr/lib/xen-*/bin/libxl-save-helper PUx,
> >    /usr/lib/xen-*/bin/pygrub PUx,
> >    /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> > +  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
> >
> >    # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> >    # read and run an ebtables script.
> > --
> > 2.28.0
> >
>
>
> --
> Christian Ehrhardt
> Staff Engineer, Ubuntu Server
> Canonical Ltd



-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

More information about the libvir-list mailing list