Bug 752255 – libvirt fails to initialize nwfilter when /tmp is mounted with noexec option

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 752255 - libvirt fails to initialize nwfilter when /tmp is mounted with noexec option

Summary:	libvirt fails to initialize nwfilter when /tmp is mounted with noexec option

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	All Linux

Priority	high Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Eric Blake
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Depends On:	752254
Blocks:	RHEL62CCC 754182 846801 846802
	Show dependency tree / graph

Reported:	2011-11-08 18:34 EST by Eric Blake
Modified:	2012-08-08 14:29 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons. The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp.
Story Points:	---
Clone Of:	752254
Environment:
Last Closed:	2012-06-20 02:36:23 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0748	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2012-06-19 15:31:38 EDT

Groups: None (edit)

Description Eric Blake 2011-11-08 18:34:17 EST

Cloning to RHEL 6.  I also have to wonder if the Common Criteria folks might be interested in this one, since they run /tmp with noexec mount option, and the use of nwfilter seems useful to lock down guests; although failure to run nwfilter is not a security hole, per se.

+++ This bug was initially created as a clone of Bug #752254 +++

Description of problem:

When /tmp filesystem is mounted with noexec option:

tmpfs on /tmp type tmpfs (rw,noexec,nosuid,size=512M)

libvirt fails to initialize nwfilter framework and then fails to start any domain using nwfilter rules.

22:22:32.545: 7699: debug : ebiptablesExecCLI:2590 : cmd='/sbin/ebtables -t nat -L'
eval res=\$\("${cmd}"\)
if [ $? -ne 0 ]; then  echo "Failure to execute command '${cmd}'.";  exit 1;fi

22:22:32.545: 7699: debug : virRunWithHook:833 : /tmp/virtduqjigQ
22:22:32.549: 7699: debug : virRunWithHook:851 : Command stderr: 22:22:32.548: 7733: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
22:22:32.548: 7733: error : __virExec:676 : cannot execute binary /tmp/virtduqjigQ: Permission denied
libvir: error : cannot execute binary /tmp/virtduqjigQ: Permission denied

22:22:32.549: 7699: debug : ebiptablesExecCLI:2611 : rc = 0, status = 1

I have seen similar problems over the internet, and it seems these problems were incorrectly classified as iptables/ip6tables/ebtables not being available in PATH.

Version-Release number of selected component (if applicable):
libvirt-0.8.7-18.el6_1.1.x86_64

(but as far as I can tell after looking at 0.9.7 sources the same problem persists in this version too)

How reproducible:

Mount /tmp with noexec option, restart libvirt.
  
Actual results:

1. Nwfilter not being initialized at libvirt's start:

Nov  8 22:20:48 kastor libvirtd: 22:20:48.984: 7523: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
Nov  8 22:20:48 kastor libvirtd: 22:20:48.994: 7523: info : networkReloadIptablesRules:1382 : Reloading iptables rules
Nov  8 22:20:49 kastor libvirtd: 22:20:49.231: 7523: error : ebiptablesDriverInit:3766 : internal error firewall tools were not found or cannot be used

2. Nwfilter not being usable within domain configuration:

[root@kastor ~]# virsh start av
error: Failed to start domain av
error: internal error Could not get access to ACL tech driver 'ebiptables'

[root@kastor ~]#

Additional info:
Since ebiptablesExecCLI() function's only purpose is to run script generated for checking iptables/ip6tables/ebtables capabilities it should be easy to fix this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path' instead of calling it directly.

--- Additional comment from eblake@redhat.com on 2011-11-08 16:32:20 MST ---

(In reply to comment #0)
> Description of problem:
> 
> Additional info:
> Since ebiptablesExecCLI() function's only purpose is to run script generated
> for checking iptables/ip6tables/ebtables capabilities it should be easy to fix
> this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path'
> instead of calling it directly.

Agree - and this should be a fairly easy patch to get approved.

Comment 7 Eric Blake 2011-11-09 19:47:05 EST

In POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-November/msg00108.html

Comment 8 Huang Wenlong 2011-11-11 01:53:24 EST

I reproduce this bug with :
libvirt-0.9.4-22.el6.x86_64
and libvirt-0.8.7-18.el6_1.1.x86_64.rpm

Steps: 
1)Create a lv(vg_intelw352081-tmp) or a new partition(sda7)  .mkfs it and mount it 

2)#mount /dev/mapper/vg_intelw352081-tmp /mnt/tmp

3)#cp -ar /tmp /mnt/ 

4)#umount /mnt/tmp 

5)#mount /dev/mapper/vg_intelw352081-tmp  /tmp -o noexec,nosuid 

6)#service libvirtd restart 

7)#tail  /var/log/libvirt/libvirtd.log 

14:04:33.164: 5537: error : ebiptablesDriverInit:3779 : internal error firewall tools were not found or cannot be used


8)Need add a nwfilter in test's xml ,like this : 

 <interface type='bridge'>
      <mac address='52:54:00:61:cd:ed'/>
      <source bridge='breth0'/>
      <filterref filter='clean-traffic'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>


9)#virsh start test   
error: Failed to start domain test
error: internal error Could not get access to ACL tech driver 'ebiptables'

Comment 14 xhu 2011-12-21 21:33:53 EST

Roproduce it with libvirt-0.9.4-22.el6.x86_64.
And Verify it with libvirt-0.9.8-1.el6.x86_64 and it passed.

Comment 15 Eric Blake 2012-05-03 15:24:53 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons.  The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp.

Comment 17 errata-xmlrpc 2012-06-20 02:36:23 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html

Note You need to log in before you can comment on or make changes to this bug.