[libvirt-users] Permission problem with /dev/net/tun

Daniel P. Berrange berrange at redhat.com
Mon Jul 8 09:41:06 UTC 2013


On Sat, Jul 06, 2013 at 09:59:39PM +0200, Thomas Karcher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi lxc folks,
> 
> the symptom my libvirt LXC container suffers from is:
> 
> root at depot:/dev/net# ls -la
> total 0
> drwxr-xr-x 2 root root  40 Jun 29 16:26 .
> drwxr-xr-x 5 root root 480 Jun 29 16:26 ..
> 
> root at depot:/dev/net# mknod tun c 10 200
> mknod: `tun': Operation not permitted
> 
> The host is an up-to-date AMD64 Ubuntu raring on 3.8.0-25-generic that
> was formerly installed from precise and then upgraded. The guest is
> Ubuntu precise; however, I see the same symptom in another raring
> container on the same host.
> 
> What I tried to resolve this:
> 
> 1) On the host, I echoed various stuff to the cgroup device files:
> 
> cd /sys/fs/cgroup/devices/libvirt/lxc
> echo "c 10:200 rwm" > devices.allow
> echo "c 10:200 rwm" > depot/devices.allow
> echo a > depot/devices.allow
> 
> ... and I see the successful results in depot/devices.list, but no
> success.
> 
> 2) I inserted a line "/dev/net/tun rwk," into
> /etc/apparmor.d/abstractions/lxc/container-base - no change. (I know,
> it seems kind of pointless - because it's about permissions to a
> device, not a path. You may deduce my desperation from this ...
> 
> SELinux is not active. Mounts on /dev look normal to me:
> 
> devfs on /dev type tmpfs (rw,mode=0755)
> devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
> devpts on /dev/ptmx type devpts
> (rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
> cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
> 
> Now comes the weird part: Once I umount /dev inside the container, the
> "hidden" /dev appears which contains a usable /dev/net/tun. So the
> mknod problem is probably due to the dropped capabilities - but
> why/how mounts the container a more restricted /dev on top of the
> prepared one ...?

Allowing the container direct access to the hosts' /dev would be
a security flaw, so libvirt sets up a private /dev for the container.
Allowing the container to use mknod would also be insecure, so we
blocking mknod using both cgroups device ACL, and also droping the
CAP_MKNOD capability.

  http://libvirt.org/drvlxc.html#devnodes

Any device that the container is authorized to access per the XML
configuration, will be pre-created in the container's /dev. To
explicitly allow /dev/net/tun you need to tell libvirt about it.

  http://libvirt.org/formatdomain.html#elementsHostDevCaps


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvirt-users mailing list