[PATCH] apparmor: allow libvirtd to call virtiofsd
Christian Ehrhardt
christian.ehrhardt at canonical.com
Mon Aug 24 12:21:01 UTC 2020
On Mon, Aug 24, 2020 at 2:03 PM Kevin Locke <kevin at kevinlocke.name> wrote:
>
> When using [virtiofs], libvirtd must launch [virtiofsd] to provide
> filesystem access on the host. When a guest is configured with
> virtiofs, such as:
>
> <filesystem type='mount' accessmode='passthrough'>
> <driver type='virtiofs'/>
> <source dir='/path'/>
> <target dir='mount_tag'/>
> </filesystem>
>
> Attempting to start the guest fails with:
>
> internal error: virtiofsd died unexpectedly
>
> /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains:
>
> libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied
>
> dmesg contains:
>
> audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>
> To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
> profile.
>
> [virtiofs]: https://libvirt.org/kbase/virtiofs.html
> [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
The added rule and reasoning LGTM,
Reviewed-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
P.S. I'm also adding Jamie for his extra depth on apparmor topics.
> Signed-off-by: Kevin Locke <kevin at kevinlocke.name>
> ---
> src/security/apparmor/usr.sbin.libvirtd.in | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
> index 4518e8f865..f2030764cd 100644
> --- a/src/security/apparmor/usr.sbin.libvirtd.in
> +++ b/src/security/apparmor/usr.sbin.libvirtd.in
> @@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
> /usr/lib/xen-*/bin/libxl-save-helper PUx,
> /usr/lib/xen-*/bin/pygrub PUx,
> /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
> + /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
>
> # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
> # read and run an ebtables script.
> --
> 2.28.0
>
--
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
More information about the libvir-list
mailing list