Bug 857358

Created attachment 612772 [details]
audit log

Description of problem:
command "ls" got Permission denied in guest's virtFS directory.

Version-Release number of selected component (if applicable):
libvirt-0.10.1-2.el6.x86_64
qemu-stable-1.0.git

How reproducible:
Always

Steps to Reproduce:
0. Prepare a guest whose kernel support p9fs.
In guest:
# grep 9P /boot/config-$(uname -r)
CONFIG_NET_9P=m
CONFIG_NET_9P_VIRTIO=m
CONFIG_NET_9P_RDMA=m
# CONFIG_NET_9P_DEBUG is not set
CONFIG_9P_FS=m
CONFIG_9P_FSCACHE=y

If the option value is "y", that indicates p9fs driver is built into the kernel ("=y").
If the option value is "m", that indicates p9fs driver will be built as a module ("=m"), user can load it manually via "modprobe" command.
If the option value is "n" or no the config line, that indicates p9fs driver is not selected. User need re-compile kernel.
 
Acctually F14 release kernel has supported p9fs. So we can use FC14 or later to test this case.
 
NOTE:
Not all the qemu emulator is support virtFS feature, so before run this case, make sure your qemu emulator suport virtFS on host.
Check if your qemu support p9fs on host:
# /usr/libexec/qemu-kvm --help
...
File system options:
-fsdev local,id=id,path=path,security_model=[mapped|passthrough|none]
Virtual File system pass-through options:
-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough|none]
...

# /usr/libexec/qemu-kvm -device '?'
...
name "virtio-9p-pci", bus PCI
...

If any of the above two options is missing, that indicates your qemu does NOT support 9pfs.

The upstream qemu does support p9fs, so you need compile the latest qemu emulator.
Get and build latest qemu binary.

1). Get the latest git repository from http://git.qemu.org/.
Notes:By now, upstream qemu not support virtFS, so we should use previous stable build to testing
# git clone git://git.qemu.org/qemu-stable-1.0.git

2). cd to the downloaded qemu source directory

3). Configure QEMU for the desired target.
# ./configure '--target-list=x86_64-softmmu' '--enable-debug' '--enable-kvm' '--enable-attr' '--prefix=/usr'

NOTE:
Make sure install zlib-devel, libattr & libattr-devel

4). Compile QEMU
# make
# make install


1.Add the following lines to the guest xml.
    <filesystem type='mount'>
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
NOTE:
"/tmp" is what host expose to guest
"test_mount" is not actually a directory, it is merely a arbitrary string tag that is exported to the guest as a hint for where to mount it.
Example:
<domain type='kvm'>
  <name>p9fs</name>
  <memory>1048576</memory>
  <currentMemory>1048576</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.13'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/p9fs.img'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <filesystem type='mount'>
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
    <interface type='network'>
      <mac address='52:54:00:09:79:6f'/>
      <source network='default'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
  </devices>
</domain>

2. Make sure user=root and group=root in /etc/libvirt/qemu.conf.
   Then start the domain.

3. In guest, check the virtFS functionality.
# lsmod|grep  9p
9p                     28949  0
fscache                44467  1 9p
9pnet_virtio            3717  0
virtio                  4242  1 9pnet_virtio
virtio_ring             6110  1 9pnet_virtio
9pnet                  40618  2 9p,9pnet_virtio

# mount -t 9p -o trans=virtio test_mount /tmp/shared/
# cd /tmp/shared/
# ls
# touch test.sh
# cat test.sh
echo "hello"
# chmod a+x test.sh
# ./tset.sh
hello
  
Actual results:
whether setenforce 0 or 1 in guest, ls and ll command got Permission denied

Expected results:
After mount successfully, find ls output is listing context from your host dir /tmp

Additional info:
The related log is in the attachment.
When use options with command mount like this: mount -t 9p -o trans=virtio test_mount /tmp/shared -oversion=9p2000.L,posixacl,cache=loose, ls can get listing result, but it still prompts Permission denied.
And, ls got permission denied with every different access mode for virtfs mount type, such as:
==========mapped============
For mapped security model, you need to enable xattr on the host FS.By default, xattr is enabled generally.
    <filesystem type='mount'  accessmode='mapped' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
===========passthrough============
passthrough needs QEMU run as root.So make sure user=root and group=root in /etc/libvirt/qemu.conf
    <filesystem type='mount'  accessmode='passthrough' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
==========squash============
Here I run qemu process as qemu user.So make sure user=qemu and group=qemu in /etc/libvirt/qemu.conf, or coment out this two lines
    <filesystem type='mount'  accessmode='squash' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>