1584318 – /usr/bin/qemu-ga tries to read root directory of other disk mount points

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1584318 - /usr/bin/qemu-ga tries to read root directory of other disk mount points

Summary: /usr/bin/qemu-ga tries to read root directory of other disk mount points

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-guest-agent
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marc-Andre Lureau
QA Contact:	FuXiangChun
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-30 17:21 UTC by Robert Scheck
Modified:	2022-03-13 15:03 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-17 17:15:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2018-05-30 17:21:28 UTC

Description of problem:
type=AVC msg=audit(1527666449.109:60162): avc:  denied  { read } for  pid=514 comm="qemu-ga" name="/" dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1527666449.109:60162): arch=x86_64 syscall=open success=no exit=EACCES a0=55a746faf5c0 a1=80000 a2=0 a3=55a74573de90 items=0 ppid=1 pid=514 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Given it helps for the understanding of the issue:

 - /dev/sda1 mounted on  /boot
 - /dev/sdb mounted on /var/www
 - /dev/sdc is swap
 - /dev/sdd mounted on /

The wild mixture of /dev/sdX is caused by RHV, but not an issue here.

Version-Release number of selected component (if applicable):
qemu-guest-agent-2.8.0-2.el7.x86_64
httpd-2.4.6-80.el7.x86_64
selinux-policy-3.13.1-192.el7_5.3.noarch

How reproducible:
Not sure.

Actual results:
/usr/bin/qemu-ga tries to read root directory of other disk mount points.

Expected results:
If this is fine, it should be allowed in general in the SELinux policy. If
it is not fine, qemu-guest-agent needs to be fixed.

Comment 2 Robert Scheck 2018-05-30 17:26:44 UTC

Cross-filed ticket 02110190 at the Red Hat customer portal.

Comment 3 Lukas Vrabec 2018-06-13 10:58:38 UTC

I have no idea whats going on in qemu-guest-agent. Moving to that component.

Comment 4 Marc-Andre Lureau 2018-07-04 10:41:10 UTC

There are various commands that manipulate the mount points, but I am not sure how you could reach the read() error: guest-fstrim, guest-get-fsinfo, guest-fsfreeze* (and more that could, but are disabled by default)

I mounted a loopback file, and tried to reproduce the SElinux error by running various qemu-ga commands: without success.

Could you isolate the command triggering the error? 

thanks

Comment 5 Robert Scheck 2018-07-19 10:27:04 UTC

I am sorry, we haven't been able to figure out a specific command, given we
also did not do anything "exotic" when it appeared.

Comment 6 Marc-Andre Lureau 2018-07-19 10:39:20 UTC

It's not clear if it's qemu-ga fault or user fault. Let's keep it in needinfo state until we have a reproducer.

Comment 7 Marc-Andre Lureau 2018-08-06 14:32:59 UTC

moving to 7.7

Comment 9 Marc-Andre Lureau 2018-11-29 09:33:01 UTC

(In reply to Li Xiaohui from comment #8)
> Hi All,
> I tested this bug in kernel-3.10.0-862.el7.x86_64 &
> qemu-kvm-rhev-2.10.0-21.el7.x86_64 & qemu-guest-agent-2.8.0-2.el7.x86_64,
> get results like followings:
> 
> Test Steps:
> 1.Boot guest with one usb-storage and virtio-serial chardev as qemu-ga
> front-end:
> /usr/libexec/qemu-kvm -M pc \
> -cpu SandyBridge \
> -enable-kvm \
> -m 4G \
> -smp 4 \
> -rtc base=utc,clock=host,driftfix=slew \
> -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x6 \
> -drive
> file=/mnt/rhel-image/rhel75.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,
> media=disk,cache=none,werror=stop,rerror=stop \
> -device scsi-hd,bus=scsi0.0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \
> -device
> virtio-net-pci,mac=2c:76:8a:b0:e0:1c,id=netdev1,vectors=4,netdev=net1
> -netdev tap,id=net1,vhost=on \
> -device ich9-usb-uhci1,id=controller \
> -drive
> file=data1.qcow2,id=drive-storage0,if=none,media=disk,cache=none,
> format=qcow2 \
> -device usb-storage,drive=drive-storage0,bus=controller.0,id=storage0 \
> -chardev socket,id=serial0,path=/tmp/serial,server,nowait \
> -device isa-serial,chardev=serial0  \
> -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 \
> -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 \
> -qmp tcp:0:4443,server,nowait \
> -vnc :3 \
> -monitor stdio \
> -vga qxl \
> -boot menu=on \
> 
> 2.After guest started, mount usb-storage to /var/www:
> [root@localhost /]# fdisk -l
> Disk /dev/sda: 53.7 GB, 53687091200 bytes, 104857600 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> Disk label type: dos
> Disk identifier: 0x0009c4dc
> 
>    Device Boot      Start         End      Blocks   Id  System
> /dev/sda1   *        2048     2099199     1048576   83  Linux
> /dev/sda2         2099200   104857599    51379200   8e  Linux LVM
> 
> ...
> 
> Disk /dev/sdb: 2147 MB, 2147483648 bytes, 4194304 sectors
> Units = sectors of 1 * 512 = 512 bytes
> Sector size (logical/physical): 512 bytes / 512 bytes
> I/O size (minimum/optimal): 512 bytes / 512 bytes
> [root@localhost ~]# mount /dev/sdb /var/www
> 
> 4.In guest, remove
> "guest-file-open,guest-file-close,guest-file-read,guest-file-write" from
> BLACKLIST_RPC in /etc/sysconfig/qemu-ga file.
> 
> 3.In guest, restart qemu-guest-agent service and keep selinux enabled
> 
> 4.On host, connect to qemu-ga via "nc -U"
> [root@hp-dl385g7-06 ~]# nc -U /tmp/qga.sock
> 
> 5.Try to open file through qemu-ga
> 
> 
> Actual Result:
> 1.open local file, it's successful, and nothing in /var/log/audit/audit.log
> from guest:
> [root@hp-dl385g7-06 ~]# nc -U /tmp/qga.sock
> {"execute":"guest-file-open","arguments":{"path":"/tmp/test","mode":"r"}}
> {"return": 1002}
> 
> 2.open mounted file, permission denied, and get some log in
> /var/log/audit/audit.log from guest:
> [root@hp-dl385g7-06 ~]# nc -U /tmp/qga.sock
> {"execute":"guest-file-open","arguments":{"path":"/dev/sdb","mode":"r"}}
> {"error": {"class": "GenericError", "desc": "failed to open file '/dev/sdb'
> (mode: 'r'): Permission denied"}}

Opening the device itself is probably not what you wanted. I guess you wanted to check a mounted file. 

> 
> [root@localhost /]# cat /var/log/audit/audit.log
> type=AVC msg=audit(1543476888.274:511): avc:  denied  { read } for  pid=701
> comm="qemu-ga" name="sdb" dev="devtmpfs" ino=14026
> scontext=system_u:system_r:virt_qemu_ga_t:s0
> tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> type=SYSCALL msg=audit(1543476888.274:511): arch=c000003e syscall=2
> success=no exit=-13 a0=55bde85c5520 a1=900 a2=0 a3=4000 items=0 ppid=1
> pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga"
> subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
> 
> 
> Robert,
> Is Actual Result's 2 your expected reproduce result?
> 
> Marc-Andre,
> when selinux is enabled, shouldn't allow to read/write file(local or mounted
> file) via qemu-ga, is right? 

I think it may depend on the file. Under /tmp, the default rule may allow you to open/read it. 

TBH I don't know what level of support we want for qemu-ga functions that are blacklisted...

Comment 10 Li Xiaohui 2018-11-29 10:01:35 UTC

(In reply to Marc-Andre Lureau from comment #9)
> > Actual Result:
> > 1.open local file, it's successful, and nothing in /var/log/audit/audit.log
> > from guest:
> > [root@hp-dl385g7-06 ~]# nc -U /tmp/qga.sock
> > {"execute":"guest-file-open","arguments":{"path":"/tmp/test","mode":"r"}}
> > {"return": 1002}
> > 
> > 2.open mounted file, permission denied, and get some log in
> > /var/log/audit/audit.log from guest:
> > [root@hp-dl385g7-06 ~]# nc -U /tmp/qga.sock
> > {"execute":"guest-file-open","arguments":{"path":"/dev/sdb","mode":"r"}}
> > {"error": {"class": "GenericError", "desc": "failed to open file '/dev/sdb'
> > (mode: 'r'): Permission denied"}}
> 
> Opening the device itself is probably not what you wanted. I guess you
> wanted to check a mounted file. 
emmm, I just want to reproduce this bug, and make audit.log is more similar to Comment 1.

and found only when selinux is enabled, then can get similar log in guest's audit.log
> 
> > 
> > [root@localhost /]# cat /var/log/audit/audit.log
> > type=AVC msg=audit(1543476888.274:511): avc:  denied  { read } for  pid=701
> > comm="qemu-ga" name="sdb" dev="devtmpfs" ino=14026
> > scontext=system_u:system_r:virt_qemu_ga_t:s0
> > tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
> > type=SYSCALL msg=audit(1543476888.274:511): arch=c000003e syscall=2
> > success=no exit=-13 a0=55bde85c5520 a1=900 a2=0 a3=4000 items=0 ppid=1
> > pid=701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga"
> > subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
> > 
> > 
> > Robert,
> > Is Actual Result's 2 your expected reproduce result?
> > 
> > Marc-Andre,
> > when selinux is enabled, shouldn't allow to read/write file(local or mounted
> > file) via qemu-ga, is right? 
> 
> I think it may depend on the file. Under /tmp, the default rule may allow
> you to open/read it. 
Yes, tried again, you're right.
> 
> TBH I don't know what level of support we want for qemu-ga functions that
> are blacklisted...

Note You need to log in before you can comment on or make changes to this bug.