From nobody Sat Apr 27 20:10:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1628890641761847.1674859517638; Fri, 13 Aug 2021 14:37:21 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-347-kGagkIRjP5enaXf2qsJl0g-1; Fri, 13 Aug 2021 17:37:18 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E04FA1008062; Fri, 13 Aug 2021 21:37:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 877361AC18; Fri, 13 Aug 2021 21:37:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 00B214BB7B; Fri, 13 Aug 2021 21:37:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 17DLb5dc015343 for ; Fri, 13 Aug 2021 17:37:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4AA1B21623A9; Fri, 13 Aug 2021 21:37:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 45103205B060 for ; Fri, 13 Aug 2021 21:37:02 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 401FC80100E for ; Fri, 13 Aug 2021 21:37:02 +0000 (UTC) Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-277-kUKiDoSsPhigiupVWw34EA-1; Fri, 13 Aug 2021 17:37:00 -0400 Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05lp2109.outbound.protection.outlook.com [104.47.17.109]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-32-wZMtUH9-NEuW_v70rt0Jtg-1; Fri, 13 Aug 2021 23:36:57 +0200 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) by AM0PR04MB5953.eurprd04.prod.outlook.com (2603:10a6:208:10f::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.15; Fri, 13 Aug 2021 21:36:56 +0000 Received: from AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::5d01:f91d:8ffa:b5c3]) by AM8PR04MB7970.eurprd04.prod.outlook.com ([fe80::5d01:f91d:8ffa:b5c3%6]) with mapi id 15.20.4415.019; Fri, 13 Aug 2021 21:36:56 +0000 Received: from localhost (192.150.158.56) by PR2PR09CA0003.eurprd09.prod.outlook.com (2603:10a6:101:16::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.13 via Frontend Transport; Fri, 13 Aug 2021 21:36:55 +0000 X-MC-Unique: kGagkIRjP5enaXf2qsJl0g-1 X-MC-Unique: kUKiDoSsPhigiupVWw34EA-1 X-MC-Unique: wZMtUH9-NEuW_v70rt0Jtg-1 From: Jim Fehlig To: libvir-list@redhat.com Subject: [PATCH] qemu: Label vhostuser net device Date: Fri, 13 Aug 2021 15:36:51 -0600 Message-ID: <20210813213651.17073-1-jfehlig@suse.com> X-ClientProxiedBy: PR2PR09CA0003.eurprd09.prod.outlook.com (2603:10a6:101:16::15) To AM8PR04MB7970.eurprd04.prod.outlook.com (2603:10a6:20b:24f::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e2ce6401-6d4f-4df1-b735-08d95ea27945 X-MS-TrafficTypeDiagnostic: AM0PR04MB5953: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6430 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: zKQakawyq7cIlRQwfUVz+DS8UlJ8TDjcSpfpybVpDpCQdGZ/HEkrK61OHP+0PeUbaRQO0Olq2I+r5fWwDWBXWcDrSyLiSDViij4Tm9znhTIPJkn5wVCwkccj4ZUIUEeqBHjI07M+ZsmiqV1Qel7LtjOCjjZXhbgR7Pp9e3OZwiJW2a4aeluC6kGWOuWLbLMRaN3UTg0TzkcoLHv5LH+6VpGJOBOJij5x6pILMAA2ZeEvAohEE/H5lVxLzcfBH9DjLqjXJBocoR+hFYnnDXNrzPz51MJ7nXlUVrGaLxKYLjP7fVUQfF6WxFKRtRLt5K14Ey4Bj7qQGoNjOoVG1F+wr6w8NfCCE7gO6anz/Z/XhdiIDqSt/8vxDW+or9deHcyuJV0yRfNlGpa9coK8Hs9NUueElfcYkymUQSyJ/gko+bd12DXEAuw8qBmpdm7uRbXT8Th5LVUHjrZImuhZI8fubRTrVYp/V6cOnWzMzQBqDnfpRK12JnKZkKQb1F+PfjApwZPpjCeEoy1PB9o6dPJGWDwMno5NEO5OBusrugXXib54Ud3FBukvaRUS2uft5eT5nnzg0JeGDKjlq2EI3GNV8OzxIhT9EwH+JOcqMObtPsiUDZLZkMNhnLpv5hVz1Iim4g4Rv9oEY48yG3RqyhIfrA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8PR04MB7970.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(366004)(346002)(39850400004)(136003)(2616005)(6496006)(6666004)(38100700002)(956004)(2906002)(66556008)(66476007)(8936002)(5660300002)(83380400001)(26005)(66946007)(6486002)(186003)(316002)(1076003)(6916009)(8676002)(36756003)(478600001)(86362001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?HuzgZoSBKBkHo4r8hVbgDXu/s2aMeF0DCeE7rXZ+tvGReDbSLahYBeeM4gUy?= =?us-ascii?Q?vROvoOXRBBPHS+E2njdRvoUgLrxia1Zn6d8MLVOFHYvZ/Jlb4tbsyI8IN00A?= =?us-ascii?Q?Nt71sl/D52ZxqnkLtjwzdOnSF4yccxZgyfxrH8lmLhcBjLroTh00laqvO/aN?= =?us-ascii?Q?4xe8LjvHO2cqDanKpKqXePw1RMGQgoDydwhBndOTuu9QXuFBY/FERpLGRwcK?= =?us-ascii?Q?U9/RgKSQNLg2ZZ4YkgFdobhUQodrootgD9gwH55AKzHNthz76N3nX+3w3T6+?= =?us-ascii?Q?xJsBAok3k06sE58yGHUTr6J0+TdV04TFaXD/5q+HL9z/kzbTi/5zVzpuoo1U?= =?us-ascii?Q?JoD5hLXRKNsk7FwWVhfNXN0qgUyd0jgoLMgG420C1laoqswwqIIsQl8LaI+V?= =?us-ascii?Q?EKiQWvVMTab27y8DQNyrZgz/e7H+Vmb+bvAdZGImXJ3etqD3U+KVlKvItLv0?= =?us-ascii?Q?D4ZxyAluXN++kjt0FMEsnr9W6+tOPjVvIMpucvWxa/iCoQaJfJ/QqVsh6qno?= =?us-ascii?Q?6qxDoJ7uk5TxOCtLREK9GjLs51WPajM89UuAVFQGXcTnVb5azDTmfh3oSbTJ?= =?us-ascii?Q?4gV9Kk32sQ+df2ysQFoAsmA/C4AafGCB54+sq7oGFZoACMXm57OGRaPhH9Zj?= =?us-ascii?Q?+9Ux4UIt0UIhRmftDblCzhKmKG3Cif0oTk64VT7l4x9yKanhN1kcODjWebtq?= =?us-ascii?Q?T0jAReeGsfNZwXkfXK3DlLHPGsAIxgBdVTPh0EHexrslaM3glacKyFxWoKfs?= =?us-ascii?Q?Itembargd85KLbNU27FuYVp57yI/2Wzwz2alPmxqz1f/QJaSeEAlPFDXxV1L?= =?us-ascii?Q?uOMp7DpLHswU8ORh2zErFYJ/rKsjh1HUW94WoVEti0PznGKv+WAAfeRhW9BA?= =?us-ascii?Q?pbHI+y2ximLNNaFt15n/Y94nfDgIZK+sIx0dbasu0rYt5EXiuZA2ZuRyP0z9?= =?us-ascii?Q?qu6/1nPsLwJMJu5ibqAw8MdfKTcYZyra5C3l0msf3ZqiU3phqFCsws1rud24?= =?us-ascii?Q?pXaK5mcm694uFM5pGWVHwON8i+SCgsNIU0g1QivRK43ulN/fi184mLxGFqA9?= =?us-ascii?Q?NSXBdgmjB0gnx2JqhsVztXeOivfqdVYmWAIGpYemYDY6nK0qe2EipmGnoeSF?= =?us-ascii?Q?YGu1rral4ZcIQlLEdivHHrPa6ovLUhizKQ5Kvw9Hog7mwwdZtIe6CuAnJOYx?= =?us-ascii?Q?1ukD2S0vYcwNF6y+IUnBYvyyJSH7sUzy15yz96dT6OT24k0ziXIDTisznobl?= =?us-ascii?Q?G+CEDxReJv9H45b6HHuLJjRF/fdUP9ueP7xLs8hvy0N0vU8NMKF8fHRaDY3c?= =?us-ascii?Q?FjjBbcypa42UTB9PUSy2gKVA?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: e2ce6401-6d4f-4df1-b735-08d95ea27945 X-MS-Exchange-CrossTenant-AuthSource: AM8PR04MB7970.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Aug 2021 21:36:56.2876 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uFSFM5jal+nAAkyxbcmPzW8p2O44jNj81M/u8G3JzGD4zbUv/i5okRhc0eFEMf2oZaNdvbpajuXVeGr9pxdC+g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB5953 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 17DLb5dc015343 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1628890643845100001 Content-Type: text/plain; charset="utf-8" Attaching a newly created vhostuser port to a VM fails due to an apparmor denial internal error: unable to execute QEMU command 'chardev-add': Failed to bind socket to /run/openvswitch/vhu838c4d29-c9: Permission denied In the case of a net device type VIR_DOMAIN_NET_TYPE_VHOSTUSER, the underlying chardev is not labeled in qemuDomainAttachNetDevice prior to calling qemuMonitorAttachCharDev. Label the chardev before calling qemuMonitorAttachCharDev, and restore the label when removing the net device. Signed-off-by: Jim Fehlig --- src/qemu/qemu_hotplug.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index c00e8a7852..42e7997112 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1467,6 +1467,11 @@ qemuDomainAttachNetDevice(virQEMUDriver *driver, } =20 if (actualType =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUSER) { + virDomainChrDef chr =3D { .source =3D net->data.vhostuser }; + + if (qemuSecuritySetChardevLabel(driver, vm, &chr) < 0) + goto cleanup; + if (qemuMonitorAttachCharDev(priv->mon, charDevAlias, net->data.vh= ostuser) < 0) { ignore_value(qemuDomainObjExitMonitor(driver, vm)); virDomainAuditNet(vm, NULL, net, "attach", false); @@ -4692,6 +4697,8 @@ qemuDomainRemoveNetDevice(virQEMUDriver *driver, } =20 if (actualType =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUSER) { + virDomainChrDef chr =3D { .source =3D net->data.vhostuser }; + /* vhostuser has a chardev too */ if (qemuMonitorDetachCharDev(priv->mon, charDevAlias) < 0) { /* well, this is a messy situation. Guest visible PCI device h= as @@ -4699,6 +4706,8 @@ qemuDomainRemoveNetDevice(virQEMUDriver *driver, * to just ignore the error and carry on. */ } + if (qemuSecurityRestoreChardevLabel(driver, vm, &chr) < 0) + VIR_WARN("Unable to restore security label on vhostuser char d= evice"); } else if (actualType =3D=3D VIR_DOMAIN_NET_TYPE_VDPA) { int vdpafdset =3D -1; g_autoptr(qemuMonitorFdsets) fdsets =3D NULL; --=20 2.32.0