apparmor: allow libvirtd to call virtiofsd

When using [virtiofs], libvirtd must launch [virtiofsd] to provide filesystem access on the host. When a guest is configured with virtiofs, such as: <filesystem type='mount' accessmode='passthrough'> <driver type='virtiofs'/> <source dir='/path'/> <target dir='mount_tag'/> </filesystem> Attempting to start the guest fails with: internal error: virtiofsd died unexpectedly /var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains (as a single line, wrapped below): libvirt: error : cannot execute binary /usr/lib/qemu/virtiofsd: Permission denied dmesg contains (as a single line, wrapped below): audit: type=1400 audit(1598229295.959:73): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 To avoid this, allow execution of virtiofsd from the libvirtd AppArmor profile. [virtiofs]: https://libvirt.org/kbase/virtiofs.html [virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html Signed-off-by: Kevin Locke <kevin@kevinlocke.name> Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2025-02-22 03:12:22 +00:00 · 2020-08-25 07:31:27 -06:00 · 2020-08-25 07:31:27 -06:00 · 44cbd3afaf
commit 44cbd3afaf
parent 89f5b90a5f
1 changed files with 1 additions and 0 deletions
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
  /usr/lib/xen-*/bin/libxl-save-helper PUx,
  /usr/lib/xen-*/bin/pygrub PUx,
  /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,

  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
  # read and run an ebtables script.