903593 – virt-sandbox fails when run as non-root user

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 903593 - virt-sandbox fails when run as non-root user

Summary: virt-sandbox fails when run as non-root user

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt-sandbox
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Daniel Berrangé
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	987225 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-24 11:15 UTC by Tim Cuthbertson
Modified:	2015-07-14 15:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libvirt-glib-0.2.1-1.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-14 15:48:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tim Cuthbertson 2013-01-24 11:15:05 UTC

Description of problem:

without root:

$ virt-sandbox -c lxc:/// -- /bin/date 
libvirt-sandbox-init-common: cannot open /dev/tty2: Permission denied
(virt-sandbox:14606): Libvirt.GLib-CRITICAL **: cannot finish stream: stream had unexpected termination

with root:

$ sudo virt-sandbox -c lxc:/// -- /bin/date
Thu Jan 24 22:10:09 EST 2013



Version-Release number of selected component (if applicable):

Fedora 18
$ virt-sandbox --version
libvirt-sandbox version 0.1.0


Additional information:

Using the `-l` switch changes the error message to /dev/tty3, but is otherwise no different.

I couldn't try the QEMU version for other reasons, so this possibly only happens when using LXC.

Comment 1 Rick Elrod 2013-02-11 18:53:46 UTC

I am seeing this as well, and can confirm that it only happens with LXC.

Comment 2 Daniel Walsh 2013-04-01 19:33:13 UTC

I am not sure about how much support we can give for running these commands as non root, since they could have security implications.

Running privledged apps within a lxc container has to be looked at closely.

Comment 3 Tim Cuthbertson 2013-04-01 22:12:03 UTC

> Running privledged apps within a lxc container has to be looked at closely.

This is unfortunate (it really limits the usefulness of a sandbox if only root can launch one), but makes sense. I don't suppose running non-root apps within LXC (which was my intention here) would be any more likely to be supported, since LCX itself would otherwise need to be setuid root to set up a container?

The wording in the manpage of the --privileged flag is a little unclear:

> Retain root privileges inside the sandbox, rather than dropping privileges to match the current user identity

"retain" sounds like you need to run it as root, but "the current user" sounds like you don't necessarily need to be root.

Comment 4 Daniel Walsh 2013-04-03 23:35:29 UTC

You could always use 

policycoreutils-sandbox

man sandbox 

That works as non -root.

Only implements file system container though.

Comment 5 Till Maas 2013-08-05 13:50:55 UTC

If this cannot be fixed, then please add this information to the man page and add a proper error message to virt-sandbox that tells users that root privileges are required.

Comment 6 Daniel Berrangé 2013-08-05 13:55:24 UTC

It is certainly intended that this work, but there are still issues we're trying to deal with here.

NB, you can also use   'virt-sandbox -c qemu:///session /some/command', which does work as non-root. Only accessing lxc:/// or qemu:///system as non-root fails.

Normally when you start a sandbox, the user you get inside the sandbox will match the uid of your current user. The '--privileged' is a way to ensure you always get root inside the sandbox. eg if you ran this as user 'berrange'

   virt-sandbox -c qemu:///session /some/command

it would run /some/command as user 'berrange' inside the sandbox. Using --privileged,  causes it to run as 'root' inside the sandbox. I'll see about clarifying this further in the man page

Comment 7 Till Maas 2013-08-05 14:07:49 UTC

(In reply to Daniel Berrange from comment #6)
> It is certainly intended that this work, but there are still issues we're
> trying to deal with here.
> 
> NB, you can also use   'virt-sandbox -c qemu:///session /some/command',
> which does work as non-root. Only accessing lxc:/// or qemu:///system as
> non-root fails.

This fails due to selinux:
$ virt-sandbox -c qemu:///session /usr/bin/id
Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.10.3-300.fc19.x86_64': Operation not permitted

The type of the kernel image is boot_t, which is not changed with running restorecon as root.

Comment 8 Dimitris 2013-08-07 18:56:57 UTC

Bug 987225 is a dupe of this, but on f19 so I wasn't sure if I should mark it as such.

Also, running:

virt-sandbox -c qemu:///session /usr/bin/id

as root now fails with:

Unable to start sandbox: Failed to create domain: Unable to read from monitor: Connection reset by peer

and in the log:

Aug 07 11:44:41 gaspode libvirtd[753]: Unable to read from monitor: Connection reset by peer
Aug 07 11:44:41 gaspode libvirtd[753]: cannot lookup default selinux label for /tmp/libvirt-sandbox-initrd-wYx10u


libvirt* is at 1.0.5.5-1.fc19, libvirt-sandbox* is at 0.2.0-1.fc19.  I don't see libvirt-sandbox 0.5 for <f20 on koji, should I wait for that?

Comment 9 Cole Robinson 2013-12-16 19:08:21 UTC

Since F18 is end-of-life, this is unlikely to be fixed there, so reassigning to F19.

Comment 10 Cole Robinson 2013-12-16 19:08:36 UTC

*** Bug 987225 has been marked as a duplicate of this bug. ***

Comment 11 Fedora End Of Life 2015-01-09 17:36:36 UTC

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Fedora End Of Life 2015-02-17 14:42:09 UTC

Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 13 Dimitris 2015-02-17 20:43:32 UTC

Still failing under F21, libvirt-sandbox 0.5.1-4.fc21

non-root:

> $ virt-sandbox -c qemu:///session /usr/bin/id
> libvirt-sandbox-init-qemu: readall: cannot open fscache.ko

root:

> $ sudo virt-sandbox -c qemu:///session /usr/bin/id
> Swipe your finger across the fingerprint reader
> Unable to start sandbox: Failed to create domain: internal error: process exited while connecting to monitor: qemu: could not load kernel '/var/run/libvirt-sandbox/sandbox/vmlinuz': Permission denied

non-root:

(This asked for root permission, via gnome UI, anyway):

> $ virt-sandbox -c lxc:/// -- /bin/date
> /usr/libexec/libvirt-sandbox-init-common: Unable to load config /etc/libvirt-sandbox/scratch/sandbox.cfg: Permission denied

log:

> type=AVC msg=audit(1424205595.608:507): avc:  denied  { read } for  pid=6764 comm="libvirt-sandbox" name="sandbox.cfg" dev="dm-2" ino=11013754 scontext=system_u:system_r:svirt_lxc_net_t:s0:c576,c657 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file permissive=0

> type=SYSCALL msg=audit(1424205595.608:507): arch=x86_64 syscall=open success=no exit=EACCES a0=405ba0 a1=0 a2=0 a3=11f items=0 ppid=6763 pid=6764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common

works when run as root.

Comment 14 Kashyap Chamarthy 2015-02-26 13:13:01 UTC

This is still reproducible with QEMU/KVM

As non-root:

  $ virt-sandbox -c qemu:///session -- /bin/date
  libvirt-sandbox-init-qemu: readall: cannot open fscache.ko

As root:

  $ getenforce 
  Permissive

  $ virt-sandbox -c qemu:///system -- /bin/date
Unable to start sandbox: Failed to create domain: internal error: process exited while connecting to monitor: qemu: could not load kernel '/var/run/libvirt-sandbox/sandbox/vmlinuz': Permission denied


Version
-------
  $ uname -r; rpm -q libvirt-sandbox
  4.0.0-0.rc1.git1.1.fc23.x86_64
  libvirt-sandbox-0.5.1-4.fc22.x86_64


Daniel Berrange on IRC mentioned the below about the root cause:

   there's a problem that fedora has renamed the kenrel modules, they
   now have .ko.xz instead of .ko

Comment 15 Fedora Update System 2015-07-01 18:15:15 UTC

libvirt-glib-0.2.1-1.fc22, libvirt-sandbox-0.6.0-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/libvirt-glib-0.2.1-1.fc22,libvirt-sandbox-0.6.0-1.fc22

Comment 16 Fedora Update System 2015-07-03 18:50:15 UTC

Package libvirt-glib-0.2.1-1.fc22, libvirt-sandbox-0.6.0-1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-glib-0.2.1-1.fc22 libvirt-sandbox-0.6.0-1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11131/libvirt-glib-0.2.1-1.fc22,libvirt-sandbox-0.6.0-1.fc22
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2015-07-14 15:48:40 UTC

libvirt-glib-0.2.1-1.fc22, libvirt-sandbox-0.6.0-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.