Bug 1447943

Summary: qemu guest agent can not read/write existing file in guest
Product: Red Hat Enterprise Linux 7 Reporter: FuXiangChun <xfu>
Component: qemu-guest-agentAssignee: Ademar Reis <areis>
Status: CLOSED NOTABUG QA Contact: FuXiangChun <xfu>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: chayang, junma, juzhang, knoel, marcandre.lureau
Target Milestone: rc   
Target Release: ---   
Hardware: ppc64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-04 13:27:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2017-07-26   

Description FuXiangChun 2017-05-04 09:45:20 UTC 
Description of problem:

{"execute":"guest-file-open","arguments":{"path":"/tmp/fuxc","mode":"r"}}
{"error": {"class": "GenericError", "desc": "failed to open file '/tmp/fuxc' (mode: 'r'): Permission denied"}}

{"execute":"guest-file-open", "arguments":{"path":"/tmp/fuxc","mode":"w+"}}
{"error": {"class": "GenericError", "desc": "failed to open file '/tmp/fuxc' (mode: 'w+'): Permission denied"}}


Version-Release number of selected component (if applicable):
qemu-guest-agent-2.8.0-1.el7.x86_64
qemu-kvm-rhev-2.9.0-2.el7.x86_64
3.10.0-661.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Boot rhel7.4 guest

/usr/libexec/qemu-kvm -M pc -cpu Opteron_G5 -enable-kvm -m 8192 -smp 4,sockets=4,cores=1,threads=1 -no-kvm-pit-reinjection -name sluo-test -uuid b18fdd6c-a213-4022-9ca4-5d07225e40b0 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,disable-legacy=on,disable-modern=false,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3,ioeventfd=on \

-chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -chardev socket,id=charchannel1,path=/home/channel1,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 \

-drive file=/home/rhel74-64-virtio.qcow2,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop,serial=QEMU-DISK1 -device virtio-scsi-pci,id=scsi0,bus=pci.0,ioeventfd=off -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,channel=0,scsi-id=0,lun=0,ver=mike,serial=ababab,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:1d:b1,bus=pci.0,addr=0x5,bootindex=2 -qmp tcp:0:4444,server,nowait -k en-us -boot menu=on -vnc :2 -spice disable-ticketing,port=5931 -vga qxl -monitor stdio

2.# nc -U /home/channel1 in host

3.# touch /tmp/fuxc   in guest

4.# chmod 666 /tmp/fuxc in guest

5.{"execute":"guest-file-open","arguments":{"path":"/tmp/fuxc","mode":"r"}}
  {"execute":"guest-file-open", "arguments":{"path":"/tmp/fuxc","mode":"w+"}} 
  
Actual results:
{"error": {"class": "GenericError", "desc": "failed to open file '/tmp/fuxc' (mode: 'r'): Permission denied"}}

{"error": {"class": "GenericError", "desc": "failed to open file '/tmp/fuxc' (mode: 'w+'): Permission denied"}}

Expected results:
works

Additional info:
If write a no-exist file in guest. this command works.
Comment 2 Marc-Andre Lureau 2017-05-04 13:27:17 UTC 
first of all, guest-file* commands are disabled by default in rhel

secondly, qemu-ga runs with restrictive selinux policies, you can see it denied to open files by default with: ausearch -c 'qemu-ga' --raw

closing as notabug
Comment 3 junma@redhat.com 2017-07-26 07:04:35 UTC 
{"execute":"guest-file-open", "arguments":{"path":"/var/log/test-6","mode":"w+"}}'
{"error": {"class": "GenericError", "desc": "The command guest-file-open has been disabled for this instance"}}