Bug ID 988279
Summary qemu-bridge-helper not useable by non root user
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Virtualization:Tools
Assignee virt-bugs@suse.de
Reporter clark.boylan@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

When attempting to run virt-install as a non root user that is a member of the
libvirt, kvm, and qemu groups the virt-install process fails to run
qemu-bridge-helper. This appears to happen for two reasons:

1) apparmor is preventing this.
2) qemu-bridge-helper is not setuid.

Command to reproduce:
virt-install -n test-instance -r 2048 --os-type=linux --os-variant=ubuntu15.10
--disk
/home/clark/virt/disks/xenial-server-cloudimg-amd64-disk1.img,device=disk,bus=virtio
--disk /home/clark/virt/disks/init.iso,device=cdrom,bus=virtio -w
bridge=br0,model=virtio --noautoconsole --import

Log from audit.log:
type=AVC msg=audit(1468123876.616:558): apparmor="DENIED" operation="exec"
profile="/usr/sbin/libvirtd" name="/usr/lib/qemu-bridge-helper" pid=19746
comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Error when apparmor prevents this:
ERROR    internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0
--fd=22: failed to communicate with bridge helper: Transport endpoint is not
connected
stderr=libvirt:  error : cannot execute binary /usr/lib/qemu-bridge-helper:
Permission denied

Error when not setuid:
ERROR    internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0
--fd=22: failed to communicate with bridge helper: Transport endpoint is not
connected
stderr=failed to create tun device: Operation not permitted

I managed to correct the apparmor issue by copy pasting the qemu-bridge-helper
content from /etc/apparmor.d/abstractions/libvirt-qemu and appending it to the
end of the profile in /etc/apparmor.d/usr.sbin.libvirtd. This prevented
apparmor from denying my access but then I ran into the tun device issue.

To correct the tun device issue I had to chmod 4755
/usr/lib/qemu-bridge-helper. With that done virt-install works as expected and
starts the virtual machine on the specified bridge.

I do not know if either of these steps is actually desirable from a security
standpoint but I think that the ability to run virt-install and take advantage
of qemu-bridge-helper is something that a non root user should be able to do.

You are receiving this mail because: