[PATCH V2] qemu: Set label on vhostuser net device when hotplugging
Michal Prívozník
mprivozn at redhat.com
Tue Aug 24 11:11:09 UTC 2021
On 8/19/21 12:57 AM, Jim Fehlig wrote:
> Attaching a newly created vhostuser port to a VM fails due to an
> apparmor denial
>
> internal error: unable to execute QEMU command 'chardev-add': Failed
> to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied
>
> In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the
> underlying chardev is not labeled in qemuDomainAttachNetDevice prior
> to calling qemuMonitorAttachCharDev.
>
> A simple fix would be to call qemuSecuritySetChardevLabel using the
> embedded virDomainChrSourceDef in the virDomainNetDef vhostuser data,
> but this incurs the risk of incorrectly restoring the label. E.g.
> consider the DAC driver behavior with a vhostuser net device, which
> uses a socket for the chardev backend. The DAC driver uses XATTRS to
> store original labelling information, but XATTRS are not compatible
> with sockets. Without the original labelling information, the socket
> labels will be restored with root ownership, preventing other
> less-privileged processes from connecting to the socket.
>
> This patch avoids overloading chardev labelling with vhostuser net
> devices by introducing virSecurityManager{Set,Restore}NetdevLabel,
> which is currently only implemented for the apparmor driver. The
> new APIs are then used to set and restore labels for the vhostuser
> net devices.
>
> Signed-off-by: Jim Fehlig <jfehlig at suse.com>
> ---
>
> V2 of:
> https://listman.redhat.com/archives/libvir-list/2021-August/msg00373.html
>
> Changes since V1:
> Introduce and use new APIs for labeling net devices
> Don't perform labelling while executing monitor commands
> Restore labels if hotplug fails
>
> src/libvirt_private.syms | 2 ++
> src/qemu/qemu_hotplug.c | 13 +++++++
> src/qemu/qemu_security.c | 59 ++++++++++++++++++++++++++++++
> src/qemu/qemu_security.h | 8 +++++
> src/security/security_apparmor.c | 61 ++++++++++++++++++++++++++++++++
> src/security/security_driver.h | 9 +++++
> src/security/security_manager.c | 38 ++++++++++++++++++++
> src/security/security_manager.h | 8 +++++
> src/security/security_stack.c | 52 +++++++++++++++++++++++++++
> 9 files changed, 250 insertions(+)
Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
Michal
More information about the libvir-list
mailing list