Re: [PATCH V2] qemu: Set label on vhostuser net device when hotplugging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/19/21 12:57 AM, Jim Fehlig wrote:
> Attaching a newly created vhostuser port to a VM fails due to an
> apparmor denial
> 
> internal error: unable to execute QEMU command 'chardev-add': Failed
> to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied
> 
> In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the
> underlying chardev is not labeled in qemuDomainAttachNetDevice prior
> to calling qemuMonitorAttachCharDev.
> 
> A simple fix would be to call qemuSecuritySetChardevLabel using the
> embedded virDomainChrSourceDef in the virDomainNetDef vhostuser data,
> but this incurs the risk of incorrectly restoring the label. E.g.
> consider the DAC driver behavior with a vhostuser net device, which
> uses a socket for the chardev backend. The DAC driver uses XATTRS to
> store original labelling information, but XATTRS are not compatible
> with sockets. Without the original labelling information, the socket
> labels will be restored with root ownership, preventing other
> less-privileged processes from connecting to the socket.
> 
> This patch avoids overloading chardev labelling with vhostuser net
> devices by introducing virSecurityManager{Set,Restore}NetdevLabel,
> which is currently only implemented for the apparmor driver. The
> new APIs are then used to set and restore labels for the vhostuser
> net devices.
> 
> Signed-off-by: Jim Fehlig <jfehlig@xxxxxxxx>
> ---
> 
> V2 of:
> https://listman.redhat.com/archives/libvir-list/2021-August/msg00373.html
> 
> Changes since V1:
> Introduce and use new APIs for labeling net devices
> Don't perform labelling while executing monitor commands
> Restore labels if hotplug fails
> 
>  src/libvirt_private.syms         |  2 ++
>  src/qemu/qemu_hotplug.c          | 13 +++++++
>  src/qemu/qemu_security.c         | 59 ++++++++++++++++++++++++++++++
>  src/qemu/qemu_security.h         |  8 +++++
>  src/security/security_apparmor.c | 61 ++++++++++++++++++++++++++++++++
>  src/security/security_driver.h   |  9 +++++
>  src/security/security_manager.c  | 38 ++++++++++++++++++++
>  src/security/security_manager.h  |  8 +++++
>  src/security/security_stack.c    | 52 +++++++++++++++++++++++++++
>  9 files changed, 250 insertions(+)

Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx>

Michal
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux