Virtiofs xattr options on domain xml

Mon May 23 14:01:02 UTC 2022

So as a temporal fix I have changed some things to make it work, I will 
leave this in case it is useful:

1. Upgrade Debian libvirt packages

     I had to upgrade the libvirt packages in order to use the socket 
option for virtiofs, the updates were from Debian 11 back-ports and the 
packages are 'qemu qemu-kvm qemu-system qemu-utils libvirt-clients 
libvirt-daemon-system virtinst' after installing you should restart 
libvirtd

2. Run virtiofsd as a systemd service

     In order to use the socket option, we need to run virtiofsd, I 
decided to run it as a systemd service:

     [Unit]
     Description=Virtiofsd for sharing disk WD-WX32D5143K0L
     Documentation=https://gitlab.com/virtio-fs/virtiofsd

     [Service]
     ExecStart=/usr/lib/qemu/virtiofsd --socket-path=/var/virtiofsd.sock 
--socket-group=libvirt-qemu -o 
xattr,source="/mnt/WD-Disk",xattrmap=":map:security.selinux:trusted.virtiofs.:",modcaps=+sys_admin 

     [Install]
     WantedBy=multi-user.target

     The extra options are 'xattr' for enabling those, 'source' to 
declare the dir to share, 'xattrmap' so you can have different selinux 
context on the host and the guest, 'modcaps' so it is able to set 
trusted xattr. The service should run as root.

3. Add the xml to the vm

     With virsh edit you should edit the domain xml of the vm, on the 
filesystem part to use the socket:

     <filesystem type='mount'>
       <driver type='virtiofs' queue='1024'/>
       <source socket='/var/virtiofsd.sock'/>
       <target dir='media'/>
       <alias name='fs0'/>
       <address type='pci' domain='0x0000' bus='0x07' slot='0x00' 
function='0x0'/>
     </filesystem>

I know that it may not be the most secure way but it is the best way I 
could found to have a non selinux host with a selinux guest.

On 19/05/22 03:41, Michal Prívozník - mprivozn(a)redhat.com wrote:
> On 5/19/22 00:53, ksobrenat32 wrote:
>> Hi!
>>
>> I have a debian 11 (bullseye) machine running libvirtd version 7.0.0 and
>> a RHEL 9 virtual machine that I need to share a disk and though about
>> virtiofs.
>>
>> The disk is a btrfs disk and I have successfully mount it with:
>>
>>      <filesystem type='mount' accessmode='passthrough'>
>>        <driver type='virtiofs' queue='1024'/>
>>        <binary path='/usr/lib/qemu/virtiofsd' xattr='on'>
>>          <cache mode='always'/>
>>          <lock posix='on' flock='on'/>
>>        </binary>
>>        <source dir='/mnt/WD-Disk'/>
>>        <target dir='media'/>
>>        <alias name='fs0'/>
>>        <address type='pci' domain='0x0000' bus='0x07' slot='0x00'
>> function='0x0'/>
>>      </filesystem>
>>
>> The problem I have is with selinux, when I try to change the context of
>> a file inside the virtual machine I get a 'Operation not permitted'
>> error, I can change the context in the Debian host and see the changes
>> in the virtual machine but I would want to be able to change the context
>> from the vm to able to use podman containers with selinux enabled.
>>
>> I see on the docs
>> https://qemu.readthedocs.io/en/latest/tools/virtiofsd.html#selinux-support
>> you can run virtiofsd with a xattr option so it is compatible with
>> selinux but I do not find a way to change the domain xml to add this
>> option, is there a way to add this option? Does a better option exists
>> (maybe on the guest side)?
>>
>>
>
> Yeah, I don't think this was implemented. However, virtiofsd is running
> as root:root and with no capabilities dropped. So I guess what we're
> missing here is -o security_label or might as well implement the remap
> as docs suggest which is much safer.
>
> Michal
>
>