[Bug 988279] New: qemu-bridge-helper not useable by non root user
http://bugzilla.opensuse.org/show_bug.cgi?id=988279 Bug ID: 988279 Summary: qemu-bridge-helper not useable by non root user Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Tools Assignee: virt-bugs@suse.de Reporter: clark.boylan@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When attempting to run virt-install as a non root user that is a member of the libvirt, kvm, and qemu groups the virt-install process fails to run qemu-bridge-helper. This appears to happen for two reasons: 1) apparmor is preventing this. 2) qemu-bridge-helper is not setuid. Command to reproduce: virt-install -n test-instance -r 2048 --os-type=linux --os-variant=ubuntu15.10 --disk /home/clark/virt/disks/xenial-server-cloudimg-amd64-disk1.img,device=disk,bus=virtio --disk /home/clark/virt/disks/init.iso,device=cdrom,bus=virtio -w bridge=br0,model=virtio --noautoconsole --import Log from audit.log: type=AVC msg=audit(1468123876.616:558): apparmor="DENIED" operation="exec" profile="/usr/sbin/libvirtd" name="/usr/lib/qemu-bridge-helper" pid=19746 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Error when apparmor prevents this: ERROR internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0 --fd=22: failed to communicate with bridge helper: Transport endpoint is not connected stderr=libvirt: error : cannot execute binary /usr/lib/qemu-bridge-helper: Permission denied Error when not setuid: ERROR internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0 --fd=22: failed to communicate with bridge helper: Transport endpoint is not connected stderr=failed to create tun device: Operation not permitted I managed to correct the apparmor issue by copy pasting the qemu-bridge-helper content from /etc/apparmor.d/abstractions/libvirt-qemu and appending it to the end of the profile in /etc/apparmor.d/usr.sbin.libvirtd. This prevented apparmor from denying my access but then I ran into the tun device issue. To correct the tun device issue I had to chmod 4755 /usr/lib/qemu-bridge-helper. With that done virt-install works as expected and starts the virtual machine on the specified bridge. I do not know if either of these steps is actually desirable from a security standpoint but I think that the ability to run virt-install and take advantage of qemu-bridge-helper is something that a non root user should be able to do. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=988279
Clark Boylan
participants (1)
-
bugzilla_noreply@novell.com