Bug 1761645
| Summary: | QEMU shmem socket not flagged in AppArmor | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Jonathan Rubenstein <jrubcop> | ||||
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | unspecified | CC: | crobinso, jamie, jdenemar, jfehlig, libvirt-maint, paelzer, tburke | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libvirt-5.10.0 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-11-21 08:11:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Jonathan Rubenstein
2019-10-15 01:48:03 UTC
> On its own it caused another deny to reading /dev/shm so I also added "/{dev,run}/shm/ r,". This did not prevent VM from booting but should probably not need to read /dev/shm.
Please ignore this comment, it is the result of me providing pulseaudio args to QEMU and is not handled by libvirt, so it is my responsibility to manage the AppArmor profile for it. Thus it is unrelated to this bug.
CCing some libvirt apparmor maintainers Confirmed, neither hotplug nor static definitions work atm:
## Hotplug example: ##
<shmem name='my_shmem0'>
<model type='ivshmem-plain'/>
<size unit='M'>4</size>
</shmem>
virsh attach-device shmem shmem-plain.xml
error: internal error: unable to execute QEMU command 'object-add': can't open backing store /dev/shm/my_shmem0 for guest RAM: Permission denied
And along that the denial:
apparmor="DENIED" operation="mknod" namespace="root//lxd-e_<var-snap-lxd-common-lxd>" profile="libvirt-1c727397-6e4c-483e-aef3-88da04ffaed4" name="/dev/shm/my_shmem0" pid=13949 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055
For a doorbell you could like:
$ ivshmem-server -S /var/lib/libvirt/ivshmem_socket
$ chown libvirt-qemu:kvm /var/lib/libvirt/ivshmem_socket
<shmem name='shmem_server'>
<model type='ivshmem-doorbell'/>
<server path='/var/lib/libvirt/ivshmem_socket'/>
<msi vectors='32' ioeventfd='on'/>
</shmem>
Which will cause a similar error:
$ virsh attach-device eoan-shmem shmem-db.xml
error: internal error: unable to execute QEMU command 'chardev-add': Failed to connect socket /var/lib/libvirt/ivshmem_socket: Permission denied
And also has a deny:
apparmor="DENIED" operation="connect" namespace="root//lxd-e_<var-snap-lxd-common-lxd>" profile="libvirt-1c727397-6e4c-483e-aef3-88da04ffaed4" name="/var/lib/libvirt/ivshmem_socket" pid=13949 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
## Static example ##
Same XML content as above:
doorbell:
error: internal error: process exited while connecting to monitor: 2019-10-16T08:56:14.819083Z qemu-system-x86_64: -chardev socket,id=charshmem0,path=/var/lib/libvirt/ivshmem_socket: Failed to connect socket /var/lib/libvirt/ivshmem_socket: Permission denied
apparmor="DENIED" operation="connect" namespace="root//lxd-e_<var-snap-lxd-common-lxd>" profile="libvirt-1c727397-6e4c-483e-aef3-88da04ffaed4" name="/var/lib/libvirt/ivshmem_socket" pid=24560 comm="qemu-system-x86" requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
plain:
error: internal error: process exited while connecting to monitor: 2019-10-16T09:00:52.298546Z qemu-system-x86_64: -object memory-backend-file,id=shmmem-shmem0,mem-path=/dev/shm/my_shmem0,size=4194304,share=yes: can't open backing store /dev/shm/my_shmem0 for guest RAM: Permission denied
For hotplug we usually need a backend to the security labeling calls (hopefully there are any already for shmem). For static definitions we usually need virt-aa-helper to render that from the XML which in these cases also needs it to be able to call the logic creating the path from a plain shmem defintion. TODOs:
Static definition:
- src/qemu/qemu_command.c: refactor qemuBuildShmemBackendMemProps to be able to reuse the path creation
- virt-aa-helper:
- iterate nshmems to access shmems[i]
- for model VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_PLAIN use refactored shmem path creation
- for model VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_DOORBELL check
- ->server
- ->server.enabled
- Use path of ->server.chr.data.nix.path
- model VIR_DOMAIN_SHMEM_MODEL_IVSHMEM can have either kind of attributes
- but deprecated so could be skipped if ti is too much of a hazzle
Hotplug:
I haven't seen a security labeling call qemuSecurity*Label of any kind near qemuDomainAttachShmemDevice yet.
Therefore Hotplug might need a deeper check and if in fact there are no calls yet those need to be added first.
Those would be called for the substring in props (see above refactoring) and the path that qemuMonitorAttachCharDev uses in there.
FYI: sent upstream https://www.redhat.com/archives/libvir-list/2019-October/msg01461.html FYI - changes in upstream git now
commit 36afd1a78ed8e13e33cdf954c6618c178ef777a1
Author: Christian Ehrhardt <christian.ehrhardt>
Date: Thu Oct 17 12:48:10 2019 +0200
virt-aa-helper: add rules for shmem devices
|