apparmor: allow libvirtd to call virtiofsd (LP: #1892736)

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

apparmor: allow libvirtd to call virtiofsd (LP: #1892736)
6377d90d · Christian Ehrhardt · c12faf12 · 6377d90d · 6377d90d
Verified Commit 6377d90d authored 4 years ago by Christian Ehrhardt
--- a/debian/patches/backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
+++ b/debian/patches/backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
+From: Kevin Locke <kevin@kevinlocke.name>
+Date: Tue, 25 Aug 2020 07:31:27 -0600
+Subject: apparmor: allow libvirtd to call virtiofsd
+
+When using [virtiofs], libvirtd must launch [virtiofsd] to provide
+filesystem access on the host.  When a guest is configured with
+virtiofs, such as:
+
+    <filesystem type='mount' accessmode='passthrough'>
+      <driver type='virtiofs'/>
+      <source dir='/path'/>
+      <target dir='mount_tag'/>
+    </filesystem>
+
+Attempting to start the guest fails with:
+
+    internal error: virtiofsd died unexpectedly
+
+/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains (as a single
+line, wrapped below):
+
+    libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd:
+    Permission denied
+
+dmesg contains (as a single line, wrapped below):
+
+    audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
+    operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd"
+    pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x"
+    fsuid=0 ouid=0
+
+To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
+profile.
+
+[virtiofs]: https://libvirt.org/kbase/virtiofs.html
+[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html
+
+Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
+Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+(cherry picked from commit 44cbd3afaf9b6ba84af9b68825cede9ff60e1138)
+---
+ src/security/apparmor/usr.sbin.libvirtd.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
+index 6cfb812..8664460 100644
+--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
+@@ -88,6 +88,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
+   /usr/lib/xen-*/bin/libxl-save-helper PUx,
+   /usr/lib/xen-*/bin/pygrub PUx,
+   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
+ 
+   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+   # read and run an ebtables script.
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@ backport/virdevmapper-Ignore-all-errors-when-opening-dev-mapper-co.patch
 backport/tools-fix-libvirt-guests.sh-text-assignments.patch
 backport/apparmor-allow-default-pki-path.patch
 backport/apparmor-allow-libvirtd-to-call-pygrub.patch
+backport/apparmor-allow-libvirtd-to-call-virtiofsd.patch
 forward/Skip-vircgrouptest.patch
 forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
 forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch