vhost-scsi triggers virt-aa-helper error

Bug #1829223 reported by Christian Ehrhardt  on 2019-05-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)

Bug Description

Forked from bug 1815910 as it is a different kind of problem and also a different fix.

FYI: this works just fine when defined at the time the guest starts.
libvirt mediates the access and passes an FD that at the time qemu can open and use.
Only later on when hot-plugging this occurs.

#1 prepare a scsi device to pass
$ sudo modprobe vhost-scsi
$ sudo targetcli backstores/block create name=disk1 dev=/dev/disk/by-path/ccw-0.0.e000-fc-0x50050763060b16b6-lun-0x4024400a00000000
$ sudo targetcli vhost/ create 50014059de6fba4f
$ sudo targetcli vhost/naa.50014059de6fba4f/tpg1/luns create /backstores/block/disk1

#2 describe the device to attach for libvirt
$ cat vhost-scsi.xml
    <hostdev mode='subsystem' type='scsi_host' managed='no'>
      <source protocol='vhost' wwpn='naa.50014059de6fba4f'/>

#3 do the hotplug
$ virsh attach-device disco-vhost vhost-scsi.xml
error: Failed to attach device from vhost-scsi.xml
error: internal error: cannot update AppArmor profile 'libvirt-9518e35c-c5ab-4d14-9204-003923544936'

When debugging this we see as expected triggers an error in virt-aa-helper:
/usr/lib/libvirt/virt-aa-helper -r -u libvirt-9518e35c-c5ab-4d14-9204-003923544936 -F /sys/kernel/config/target/vhost//naa.50014059de6fba4f
unexpected exit status 1
  virt-aa-helper: error: /sys/kernel/config/target/vhost//naa.50014059de6fba4f
  virt-aa-helper: error: skipped restricted file
  virt-aa-helper: error: invalid VM definition

Changed in libvirt (Ubuntu):
status: New → Triaged

Since "the dawn of ages" a.k.a commit 51a4814f "Imported Upstream version 0.7.2" virt-aa-helper filters some paths [1].

/sys is one of them.

There is the feature to override certain sub-paths which is almost as old [2]:

We will have to register "/sys/kernel/config/target/vhost" there as well.

[1]: https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/security/virt-aa-helper.c;hb=bbaecd6a8f15345bc822ab4b79eb0955986bb2fd#l467
[2]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=1efb6236744632c579049ee610dc1c8a42b3ee3d

I have a preliminary patch to test building in PPA:

I have a fix that allows the /sys path to be added.
But then we face (the expected bug) that follows bug 1815910

  error: internal error: unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

Due to:

I'll add vhost-scsi to the 1815910 fix and submit this patch here upstream.

Patch upstream accepted, bundling with the coming libvirt upload which was focused on these vhost fixes anyway.

Tested with 5.0.0-1ubuntu4~ppa1 from PPA now all three vhost hotplug types work.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 5.0.0-1ubuntu4

libvirt (5.0.0-1ubuntu4) eoan; urgency=medium

  * d/p/ubuntu/lp-1825195-*.patch: fix issues with old guests that defined
    the never functional osxsave and ospke features (LP: #1825195).
  * d/p/series: reorder ubuntu Delta
  * d/p/ubuntu-aa/lp-1815910-allow-vhost-net.patch: avoid apparmor issues
    with vhost-net/vhost-vsock/vhost-scsi hotplug (LP: #1815910)
  * d/p/ubuntu-aa/lp-1829223-virt-aa-helper-allow-vhost-scsi.patch fix
    vhost-scsi hotplug in virt-aa-helper (LP: #1829223)

libvirt (5.0.0-1ubuntu3) eoan; urgency=medium

  * SECURITY UPDATE: Add support for md-clear functionality
    - debian/patches/ubuntu/md-clear.patch: Define md-clear CPUID bit in
    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

 -- Christian Ehrhardt <email address hidden> Thu, 16 May 2019 10:42:09 +0200

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers