apparmor: allow libvirtd to call virtiofsd

When using [virtiofs], libvirtd must launch [virtiofsd] to provide
filesystem access on the host.  When a guest is configured with
virtiofs, such as:

    <filesystem type='mount' accessmode='passthrough'>
      <driver type='virtiofs'/>
      <source dir='/path'/>
      <target dir='mount_tag'/>
    </filesystem>

Attempting to start the guest fails with:

    internal error: virtiofsd died unexpectedly

/var/log/libvirt/qemu/$name-fs0-virtiofsd.log contains (as a single
line, wrapped below):

    libvirt:  error : cannot execute binary /usr/lib/qemu/virtiofsd:
    Permission denied

dmesg contains (as a single line, wrapped below):

    audit: type=1400 audit(1598229295.959:73): apparmor="DENIED"
    operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd"
    pid=46007 comm="rpc-worker" requested_mask="x" denied_mask="x"
    fsuid=0 ouid=0

To avoid this, allow execution of virtiofsd from the libvirtd AppArmor
profile.

[virtiofs]: https://libvirt.org/kbase/virtiofs.html
[virtiofsd]: https://www.qemu.org/docs/master/interop/virtiofsd.html

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 4518e8f865dc302b7791f0d33f67710d08079d01..f2030764cd32b1026584fbcbac89d654117506da 100644 (file)
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -89,6 +89,7 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
   /usr/lib/xen-*/bin/libxl-save-helper PUx,
   /usr/lib/xen-*/bin/pygrub PUx,
   /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/virtiofsd PUx,
 
   # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
   # read and run an ebtables script.