Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
setting cap via pam to virsh
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5929

PostPosted: Mon Aug 12, 2024 6:37 pm    Post subject: setting cap via pam to virsh Reply with quote

Greetings,

as part of sessioned virsh, I need to create a tap interface but I'm unable due to permissions. I get this error: "Unable to create tap device Operation not permitted"
I've took out the relevant code and placed it in a c file, compiled and got a bin that tries to create a tap.
next, I've went to configure pam_cap as follows:

  1. created a file at /etc/pam.d/test1 and added this to the file: auth required pam_cap.so
  2. set the cap with this command: setcap cap_net_admin+eip test1

and I ran test1, it worked.
now I went to define the same for virsh, e,g,

  1. created a file at /etc/pam.d/virsh and added this to the file: auth required pam_cap.so
  2. set the cap with this command: setcap cap_net_admin+eip $(which virsh)

and ran run virsh -c qemu:///session start <vm>, I'm still getting the error above. I assume that it is because the creation gets executed in a thread but afaik, the i in setcap takes cares of it,
what am I missing?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 556

PostPosted: Mon Aug 12, 2024 11:38 pm    Post subject: Reply with quote

That's because virsh doesn't actually create the tap. virsh just a command-line wrapper for the dbus API. What you want to is give permissions to helper qemu uses to create bridge and tap devices. That helper is /usr/libexec/qemu-bridge-helper .
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5929

PostPosted: Tue Aug 13, 2024 2:54 pm    Post subject: Reply with quote

salahx wrote:
That's because virsh doesn't actually create the tap. virsh just a command-line wrapper for the dbus API. What you want to is give permissions to helper qemu uses to create bridge and tap devices. That helper is /usr/libexec/qemu-bridge-helper .

that helper has the suid set like the docs says. so the needed permissions are in place.
in addition, the print stated above doesn't exists in qemu-bridge-helper's code file, but is can be found here: https://github.com/libvirt/libvirt/blob/master/src/util/virnetdevtap.c#L234
note that I'm not trying to connect a tap to an existing bridge, I'm trying to connect the host and the vm directly with a tap interface
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum