From: Andrea Bolognani <abologna@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: Prafulla Giri <prafulla.giri@protonmail.com>,
"passt-dev@passt.top" <passt-dev@passt.top>
Subject: Re: Apparmor (and other) Issues
Date: Tue, 4 Feb 2025 15:50:43 +0000 [thread overview]
Message-ID: <CABJz62OUge8uNdXHVGU+YOW1_MfGbUMHnnb3DWk4nRe+k03BhA@mail.gmail.com> (raw)
In-Reply-To: <20250204111724.48b73b37@elisabeth>
On Tue, Feb 04, 2025 at 11:17:24AM +0100, Stefano Brivio wrote:
> On Tue, 4 Feb 2025 09:50:40 +0000 Andrea Bolognani <abologna@redhat.com> wrote:
> > I've skimmed the conversation trying to understand whether there's
> > anything that I need do from the libvirt side, but AFAICT no explicit
> > action has been called for so far.
>
> Not yet, because I was hoping to figure out what's going on, but I'm
> actually (almost?) stuck now. I don't think this is the same as
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094583 by the way,
That issue can only manifest itself when upgrading from bookworm, so
if you have performed a fresh install of sid you don't need to worry
about it.
> This is really pretty simple: fresh Debian sid image, all packages
> updated to today. Then:
>
> virt-install -d --name alpine --memory 1024 --noreboot --osinfo alpinelinux3.20 --network backend.type=passt,portForward0.proto=tcp,portForward0.range0.start=40922,portForward0.range0.to=22 --import --disk nocloud_alpine-3.21.2-x86_64-bios-tiny-r0.qcow2
>
> this works. But:
>
> $ virsh start alpine
> error: Failed to start domain 'alpine'
> error: internal error: Child process (passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0.socket --pid /run/user/1000/libvirt/qemu/run/passt/1-alpine-net0-passt.pid --tcp-ports 40922:2) unexpected fatal signal 11
>
> execve() of passt is denied by AppArmor. Starting passt on its own
> (passt -f) works, instead.
I was initially very surprised to read this, but it makes sense after
spending some more time looking into it.
Normally, virt-install will perform guest creation in two phases. The
first one is the installation itself, which needs the install media
to be connected; once that's done, the OS installer will usually
initiate a reboot, and when the VM comes up again the installl media
will no longer be connected. Other changes to the configuration might
happen as well, I'm not 100% sure.
Anyway, since you've passed --noreboot above, virt-install will only
go through the first phase of installing the guest; additionally,
since you've passed --import, the VM will only be defined and the
installation will be considered done without having to start it once.
As a counter-example, see how the behavior changes when performing a
"regular" install from CDROM instead:
$ virt-install --name alpine --memory 1024 --osinfo alpinelinux3.20 \
--network backend.type=passt --graphics none --disk none \
--cdrom ./alpine-virt-3.21.2-x86_64.iso
Starting install...
ERROR internal error: Child process (passt --one-off
--socket /run/user/1000/libvirt/qemu/run/passt/3-alpine-net0.socket
--pid /run/user/1000/libvirt/qemu/run/passt/3-alpine-net0-passt.pid)
unexpected fatal signal 11
So there's no magic to that first VM start that apparently worked
even when subsequent ones wouldn't. The VM start simply didn't happen
in the first place.
> At this point, which libvirtd (?) process should associate with which
> libvirtd profile? Once that's clear to me, I can probably debug further.
>
[...]
>
> I'm fairly sure it's libvirt, because I didn't change anything
> substantial in passt, and it's anyway the AppArmor profile for libvirtd
> that seems to be... missing? And yet it's there.
We're going back to the question of how AppArmor works for
unprivileged VMs... The short answer is that I'm not convinced it
does.
In order to make a direct comparison, I've create the very same
Alpine VM, with no network interface, both on qemu:///system and
qemu:///user.
When I start the former, the (filtered) output for aa-status goes
from
22 profiles are in enforce mode.
libvirtd
libvirtd//qemu_bridge_helper
virt-aa-helper
25 profiles are in complain mode.
dnsmasq//libvirt_leaseshelper
2 processes are in enforce mode.
/usr/sbin/libvirtd (862) libvirtd
to
24 profiles are in enforce mode.
libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4//passt
libvirtd
libvirtd//qemu_bridge_helper
virt-aa-helper
25 profiles are in complain mode.
dnsmasq//libvirt_leaseshelper
3 processes are in enforce mode.
/usr/bin/qemu-system-x86_64 (1310)
libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
/usr/sbin/libvirtd (862) libvirtd
The additional profiles (libvirt-1cdfdfd3-a020-45d9-8f88-8e0ce31745c4
and its passt subprofile) are generated dynamically when the VM is
started and the QEMU process gets the correct one assigned to it. So
far so good.
After launching the qemu:///session VM, however, the situation is a
lot different:
22 profiles are in enforce mode.
libvirtd
libvirtd//qemu_bridge_helper
virt-aa-helper
25 profiles are in complain mode.
dnsmasq//libvirt_leaseshelper
4 processes are in enforce mode.
/usr/sbin/libvirtd (1589) libvirtd
/usr/sbin/virtlogd (1632) libvirtd
As you can see, the per-VM profile hasn't been created, and so
obviously it couldn't be applied to the QEMU process either.
This is probably undesirable, but at the same time I'm not really
sure how it could be fixed. Creating a new profile requires dropping
a file in /etc/apparmor.d/libvirt, and the unprivileged libvirtd
intentionally doesn't have the necessary permissions to do that...
Do you have any ideas?
--
Andrea Bolognani / Red Hat / Virtualization
next prev parent reply other threads:[~2025-02-04 15:50 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <gfnJ5_aKhxXif2AlacEZIAO3UgiyKhgfDhlg7-FWBbkXttL891Y9k0zClSeYZiLN8JkMF9Z_pprz9f3w88cjZTkHL42cjar9boCCIuS6B08=@protonmail.com>
2025-01-29 9:41 ` Apparmor (and other) Issues Stefano Brivio
2025-01-29 18:10 ` Prafulla Giri
2025-01-29 18:48 ` Stefano Brivio
2025-01-30 10:05 ` Prafulla Giri
2025-01-31 20:20 ` Stefano Brivio
[not found] ` <NNMPy6qrSrpU0VFxOsd8tUnJFDsz_Ychl7WAxOB1aYfyRCjzTG4uzNEGZLkHUa_NnxCEAL_X1lhnySdZ_1i2ZMxuVK0zDHa-YLex3O5fhRw=@protonmail.com>
2025-02-02 14:40 ` Prafulla Giri
2025-02-03 8:35 ` Stefano Brivio
[not found] ` <0gHPSAbajW7n2zyIE-8k2vez7nkpAHQOnP4p6yfc6i5v948AExss0zBAYKF-92Yqf90DhAg3Xx9u19aw4TtSQLnpNgvCEa--wkPTL0PDdnM=@protonmail.com>
2025-02-04 8:50 ` Stefano Brivio
2025-02-04 9:50 ` Andrea Bolognani
2025-02-04 10:17 ` Stefano Brivio
2025-02-04 15:50 ` Andrea Bolognani [this message]
2025-02-04 16:22 ` Stefano Brivio
2025-02-04 18:46 ` Andrea Bolognani
2025-02-04 19:14 ` Stefano Brivio
2025-02-04 22:19 ` Andrea Bolognani
2025-02-04 22:34 ` Stefano Brivio
2025-02-05 7:40 ` Prafulla Giri
2025-02-05 10:16 ` Stefano Brivio
2025-02-07 6:49 ` Prafulla Giri
2025-02-07 9:16 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABJz62OUge8uNdXHVGU+YOW1_MfGbUMHnnb3DWk4nRe+k03BhA@mail.gmail.com \
--to=abologna@redhat.com \
--cc=passt-dev@passt.top \
--cc=prafulla.giri@protonmail.com \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).