Bug 857358 - [virtFS]commands "ls" got Permission denied in guest's virtFS directory
[virtFS]commands "ls" got Permission denied in guest's virtFS directory
Status: CLOSED WORKSFORME
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Libvirt Maintainers
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-14 04:26 EDT by Xu Wang
Modified: 2016-04-26 11:16 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-23 18:41:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log (61.15 KB, text/plain)
2012-09-14 04:26 EDT, Xu Wang
no flags Details
libvirt log (651 bytes, text/plain)
2012-09-14 04:32 EDT, Xu Wang
no flags Details
qemu log of guest p9fs (1.13 KB, text/plain)
2012-09-14 04:33 EDT, Xu Wang
no flags Details
operations in guest (8.26 KB, text/plain)
2012-09-14 04:35 EDT, Xu Wang
no flags Details

  None (edit)
Description Xu Wang 2012-09-14 04:26:06 EDT
Created attachment 612772 [details]
audit log

Description of problem:
command "ls" got Permission denied in guest's virtFS directory.

Version-Release number of selected component (if applicable):
libvirt-0.10.1-2.el6.x86_64
qemu-stable-1.0.git

How reproducible:
Always

Steps to Reproduce:
0. Prepare a guest whose kernel support p9fs.
In guest:
# grep 9P /boot/config-$(uname -r)
CONFIG_NET_9P=m
CONFIG_NET_9P_VIRTIO=m
CONFIG_NET_9P_RDMA=m
# CONFIG_NET_9P_DEBUG is not set
CONFIG_9P_FS=m
CONFIG_9P_FSCACHE=y

If the option value is "y", that indicates p9fs driver is built into the kernel ("=y").
If the option value is "m", that indicates p9fs driver will be built as a module ("=m"), user can load it manually via "modprobe" command.
If the option value is "n" or no the config line, that indicates p9fs driver is not selected. User need re-compile kernel.
 
Acctually F14 release kernel has supported p9fs. So we can use FC14 or later to test this case.
 
NOTE:
Not all the qemu emulator is support virtFS feature, so before run this case, make sure your qemu emulator suport virtFS on host.
Check if your qemu support p9fs on host:
# /usr/libexec/qemu-kvm --help
...
File system options:
-fsdev local,id=id,path=path,security_model=[mapped|passthrough|none]
Virtual File system pass-through options:
-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough|none]
...

# /usr/libexec/qemu-kvm -device '?'
...
name "virtio-9p-pci", bus PCI
...

If any of the above two options is missing, that indicates your qemu does NOT support 9pfs.

The upstream qemu does support p9fs, so you need compile the latest qemu emulator.
Get and build latest qemu binary.

1). Get the latest git repository from http://git.qemu.org/.
Notes:By now, upstream qemu not support virtFS, so we should use previous stable build to testing
# git clone git://git.qemu.org/qemu-stable-1.0.git

2). cd to the downloaded qemu source directory

3). Configure QEMU for the desired target.
# ./configure '--target-list=x86_64-softmmu' '--enable-debug' '--enable-kvm' '--enable-attr' '--prefix=/usr'

NOTE:
Make sure install zlib-devel, libattr & libattr-devel

4). Compile QEMU
# make
# make install


1.Add the following lines to the guest xml.
    <filesystem type='mount'>
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
NOTE:
"/tmp" is what host expose to guest
"test_mount" is not actually a directory, it is merely a arbitrary string tag that is exported to the guest as a hint for where to mount it.
Example:
<domain type='kvm'>
  <name>p9fs</name>
  <memory>1048576</memory>
  <currentMemory>1048576</currentMemory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.13'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/p9fs.img'/>
      <target dev='hda' bus='ide'/>
    </disk>
    <filesystem type='mount'>
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
    <interface type='network'>
      <mac address='52:54:00:09:79:6f'/>
      <source network='default'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
  </devices>
</domain>

2. Make sure user=root and group=root in /etc/libvirt/qemu.conf.
   Then start the domain.

3. In guest, check the virtFS functionality.
# lsmod|grep  9p
9p                     28949  0
fscache                44467  1 9p
9pnet_virtio            3717  0
virtio                  4242  1 9pnet_virtio
virtio_ring             6110  1 9pnet_virtio
9pnet                  40618  2 9p,9pnet_virtio

# mount -t 9p -o trans=virtio test_mount /tmp/shared/
# cd /tmp/shared/
# ls
# touch test.sh
# cat test.sh
echo "hello"
# chmod a+x test.sh
# ./tset.sh
hello
  
Actual results:
whether setenforce 0 or 1 in guest, ls and ll command got Permission denied

Expected results:
After mount successfully, find ls output is listing context from your host dir /tmp

Additional info:
The related log is in the attachment.
When use options with command mount like this: mount -t 9p -o trans=virtio test_mount /tmp/shared -oversion=9p2000.L,posixacl,cache=loose, ls can get listing result, but it still prompts Permission denied.
And, ls got permission denied with every different access mode for virtfs mount type, such as:
==========mapped============
For mapped security model, you need to enable xattr on the host FS.By default, xattr is enabled generally.
    <filesystem type='mount'  accessmode='mapped' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
===========passthrough============
passthrough needs QEMU run as root.So make sure user=root and group=root in /etc/libvirt/qemu.conf
    <filesystem type='mount'  accessmode='passthrough' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
==========squash============
Here I run qemu process as qemu user.So make sure user=qemu and group=qemu in /etc/libvirt/qemu.conf, or coment out this two lines
    <filesystem type='mount'  accessmode='squash' >
      <source dir='/tmp'/>
      <target dir='test_mount'/>
    </filesystem>
Comment 1 Xu Wang 2012-09-14 04:32:35 EDT
Created attachment 612773 [details]
libvirt log
Comment 3 Xu Wang 2012-09-14 04:33:54 EDT
Created attachment 612774 [details]
qemu log of guest p9fs
Comment 4 Xu Wang 2012-09-14 04:35:44 EDT
Created attachment 612775 [details]
operations in guest
Comment 5 Dave Allan 2012-09-14 11:23:35 EDT
(In reply to comment #0)
> libvirt-0.10.1-2.el6.x86_64
> qemu-stable-1.0.git

Please reproduce with a Red Hat qemu binary.
Comment 6 Osier Yang 2012-09-17 02:15:46 EDT
RHEL qemu-kvm doesn't support 9pfs yet, move to upstream component.
Comment 7 Xu Wang 2012-09-17 05:36:33 EDT
This bug has been moved to upstream component.
Comment 9 chandrashekar shastri 2013-08-20 12:48:35 EDT
Host and Guest Kernel : 3.9.5-301.fc19.x86_64

libvirtd --version
libvirtd (libvirt) 1.1.1

qemu-system-x86_64 --version
QEMU emulator version 1.5.91, Copyright (c) 2003-2008 Fabrice Bellard

This issue is also seen on the Upstream Libvirt commit a7f94a40bb2554c56d0c6bea98a5843690dc3933. 

If we mount the virtfs in the guest and try to cat some of the files from the host directory then it throws error as permission denied.

But, if we boot the guest with qemu (commit b9ac5d923b820a0f0152a2df56067e55ce34f487) then it works fine. 

xml:
----
<domain type='kvm'>
  <name>Fedora19</name>
  <uuid>6cede796-e295-294e-5198-37448a5fe057</uuid>
  <memory unit='KiB'>3072000</memory>
  <currentMemory unit='KiB'>3072000</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-1.6'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/var/lib/libvirt/images/Fedora19.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='block' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/tmp'/>
      <target dir='file'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </filesystem>
    <interface type='network'>
      <mac address='52:54:00:80:3c:03'/>
      <source network='default'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='vga' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>
Comment 10 Hiroshi Miura 2014-03-21 02:52:29 EDT
There is a work around for it.

When a host directory to be shared is `/share` ,
running following command on host makes things working.

```bash
sudo semanage fcontext -a -t virt_content_t "/share(/.*)?"
sudo restorecon -R /share
```

IMO it is neccesary to fix 
   /* XXX fixme process  def->fss if relabel == true */
part of src/security/security_selinux.c
Comment 11 Cole Robinson 2016-03-23 18:41:19 EDT
Closing due to workaround in Comment #10

Note You need to log in before you can comment on or make changes to this bug.