virt-aa-helper refuses to create unix socket for a serial port

Bug #1015154 reported by Ian Wells
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Serge Hallyn

Bug Description

If I have the following in a libvirt.xml file:

    <serial type="unix">
      <source path="/opt/stack/nova/serial/instance-00000033-serial1" mode="bind"/>
      <target port="1"/>
    </serial>

Then I should end up with a unix socket created when I hand this XML off to libvirt. (I use other types of serial port, such as TCP or file, and they work without problems.) Instead, the VM crashes on startup with 'permission denied' on bind()ing that socket.

However, with the above, I get the following in /var/log/syslog:

Jun 19 07:27:57 ubuntu kernel: [490560.166998] type=1400 audit(1340116077.186:111): apparmor="STATUS" operation="profile_load" name="libvirt-bc24d2ed-d49d-412b-b20b-fd1ec2d1b7b4" pid=26476 comm="apparmor_parser"
Jun 19 07:27:58 ubuntu kernel: [490561.130340] type=1400 audit(1340116078.150:112): apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-bc24d2ed-d49d-412b-b20b-fd1ec2d1b7b4" name="/opt/stack/nova/serial/instance-00000033-serial1" pid=26519 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=117 ouid=117
Jun 19 07:28:29 ubuntu kernel: [490592.296057] type=1400 audit(1340116109.312:113): apparmor="STATUS" operation="profile_remove" name="libvirt-bc24d2ed-d49d-412b-b20b-fd1ec2d1b7b4" pid=27711 comm="apparmor_parser"

It looks to me like virt-aa-helper has not granted sufficient permissions to the qemu instance to create the unix socket.

$ lsb_release -rd ; apt-cache policy libvirt-bin
Description: Ubuntu 11.10
Release: 11.10
libvirt-bin:
  Installed: 0.9.2-4ubuntu15.2
  Candidate: 0.9.2-4ubuntu15.2
  Version table:
 *** 0.9.2-4ubuntu15.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.9.2-4ubuntu15 0
        500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

Tags: patch
Ian Wells (ijw-ubuntu)
summary: - virt-aa-helper refuses to allow create unix sockets
+ virt-aa-helper refuses to create unix socket for a serial port
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for taking the time to report this bug.

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Datapro Services (it-iizj) wrote :

Any news on this?
I've hit the same thing

Ubuntu server 12.04
Attempting to create socket connection between VM host and a pre-existing guest.
Following this guide
http://wiki.libvirt.org/page/Qemu_guest_agent

New channel defined in VM

<channel type='unix'>
   <source mode='bind' path='/var/lib/libvirt/qemu/app-dev-tony.agent'/>
   <target type='virtio' name='org.qemu.guest_agent.0'/>
</channel>

When starting VM, get the following

error: Failed to start domain app-dev-tony
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/3
bind(unix:/var/lib/libvirt/qemu/app-dev-tony.agent): Permission denied
chardev: opening backend "socket" failed: Permission denied

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

This will require a patch to virt-aa-helper to find unix channel
definitions and whitelist their paths for the new vm. If anyone
has a patch to do so that would be great.

Changed in libvirt (Ubuntu):
importance: Medium → High
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Looks like around line 999 of src/security/virt-aa-helper is the right place to add a check for VIR_DOMAIN_CHR_TYPE_UNIX

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

The patch debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch needs to be expanded to add the UNIX check to serials, consoles, and parallells.

Changed in libvirt (Ubuntu):
status: Fix Released → Triaged
assignee: nobody → Serge Hallyn (serge-hallyn)
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Here is a debdiff for wily to fix this. It will hopefully be included in the upcoming 1.2.16 merge.

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.16-2ubuntu2

---------------
libvirt (1.2.16-2ubuntu2) wily; urgency=low

  [ Chris J Arges ]
  * Merge from Debian unstable. Remaining changes:
    - debian/apparmor/{libvirt-lxc,libvirt-qemu,local-usr.sbin.libvirtd,
      TEMPLATE.lxc,TEMPLATE.qemu,usr.lib.libvirt.virt-aa-helper,
      usr.sbin.libvirtd} Add apparmor profiles.
    - debian/bug-presubj: removed
    - debian/control:
      - add cdbs, dh-autoreconf, libcurl4-gnutls-dev
      - add libxml-libxml-perl, libhal-dev
      - swap open-iscsi to open-iscsi-utils
      - Enable numa support on ppc64 and ppc64el.
      - remove libsanlock-dev, libselinux1-dev, libsystemd-daemon-dev
      - remove systemtap-sdt-dev, python, sheepdog, librados-dev, libfuse-dev
      - remove libssh2-1, augeas-tools
      - add libcgmanager-dev, xsltproc
      - remove Vcs-Git
      - adjust X-Python-Version > 2.7
      - don't build libvirt-clients, libvirt-daemon, libvirt-sanlock packages
    * keep debian/{libvirt-bin.apport,libvirt-bin.cron.daily}
    * debian/libvirt-daemon.* has been mostly renamed to debian/libvirt-bin.*
    * add upstart script for libvirt-bin
    * debian/*.links files not added
    * debian/libvirt-sanlock* not merged
    * debian/libvirt-clients* not merged
    * debian smoke tests not merged
    * keep debian/{libvirt-migrate-qemu-disks.*,
      libvirt-migrate-qemu-machinetype.*,
      libvirt-migrate-xend-managed-domains.*}
    * keep debian/libvirt-suspendonreboot
    * keep debian/libvirt-uri.sh
    * Don't apply the following patches:
      - d/p/Debianize-libvirt-guests.patch
      - d/p/Debianize-systemd-service-files.patch
      - d/p/debian/Debianize-virtlockd.patch
      - d/p/fix-Debian-specific-path-to-hvm-loader.patch
      - d/p/Disable-gnulib-s-test-nonplocking-pipe.sh.patch
      - d/p/patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch
    * debian/polkit/* not added
    * debian/README.Debian:
      - add 'Apparmor Profile' section
      - add 'Disk migration' section
    * debian/rules:
      - add cdbs and autoconf stuff
      - don't build WITH_SANLOCK, WITH_INIT_SCRIPT, WITH_SYSTEMD, WITH_FIREWALLD
        WITH_SELINUX
      - use qemu-group kvm instead of libvirt-qemu
      - set DEB_DH_INSTALLINIT_ARGS to '--upstart-only'
      - remove auto_test section
      - add build/libvirt-bin:: section to install
        - apparmor files
        - apport hooks
        - libvirt-migrate-qemu-disks
      - use clean:: instead of dh_*clean

  [ Chuck Short ]
    + Rediffed:
     - debian/patches/storage-default-permission-mode-to-0711
     - debian/patches/ubuntu_machine_type.patch
  * debian/libvirt-bin.init: Adjust avahi to avahi-daemon (LP: #1453572)

  [ Serge Hallyn ]
  * 9040-virt-aa-helper-add-unix-channels.patch: add support for unix
    sockets for serials. (LP: #1015154)

 -- Chris J Arges <email address hidden> Wed, 01 Jul 2015 13:33:40 -0500

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Cody Pisto (cpisto) wrote :

This bug seems to have reappeared in ubuntu 16.04 beta (libvirt 1.3.1)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

@codyp,

please open a new bug showing the details of how the host and guest are setup and how it failed.

I can create a VM with a unix socket for serial, however I have to specify a path which libvirt-qemu user can write to. So for instance I created /opt/qemu and chowned it to libvirt-qemu:kvm, then specified /opt/qemu/xx as the pathname, and that worked. Using /opt/xx did not. The apparmor exception is being added:

  "/opt/qemu/xx" rw,

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers