libvirt users - Jul 2020 - NVDIMM in devdax mode and SELinux (was: Two questions about NVDIMM devices)

Daniel P. Berrangé <berrange@redhat.com> writes:
> On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote:
>> Hi,
>> 
>
>> I've met two situations with NVDIMM support in libvirt where
I'm not
>> sure all the parties (libvirt & I) do the things correctly.
>> 
>> The first problem is with memory alignment and size changes.  In
>> addition to the size changes applied to NVDIMMs by QEMU, libvirt also
>> makes some NVDIMM size changes for better alignments, in
>> qemuDomainMemoryDeviceAlignSize.  This can lead to the size being
>> rounded up, exceeding the size of the backing device and QEMU failing
to
>> start the VM for that reason (I've experienced that actually).  I
work
>> with emulated NVDIMM devices, not a bare metal hardware, so one might
>> argue that in practice the device sizes should already be aligned, but
>> I'm not sure it must be always the case considering labels or
whatever
>> else the user decides to set up.  And I still don't feel very
>> comfortable that I have to count with two internal size adjustments
>> (libvirt & QEMU) to the `size' value I specify, with the
ultimate goal
>> of getting the VM started and having the NVDIMM aligned properly to
make
>> (non-NVDIMM) memory hot plug working.  Is the size alignment performed
>> by libvirt, especially rounding up, completely correct for NVDIMMs?
>
> The comment on the function says QEMU aligns to "page size",
which
> is something that can vary depending not only on architecture, and
> also the build config options for the kernel on that architecture.
> eg aarch64 has different page size in RHEL than other distros because
> of different choice of page size in kernel config. 
>
> Libvirt rounds up to 1 MB, 
Actually 2 MB, at least in my case, apparently in
qemuDomainGetMemoryModuleSizeAlignment.  But it's just a detail.
> essentially so that the size works no matter what architecture or
> build options were used. I think this is quite compelling as I don't
> think mgmt apps are likely to care enough about non-x86 architectures
> to pick the right rounded sizes.
>
> If we're enforcing this 1 MB rounding though, we really should be
> documenting it clearly, so that apps can pick the right backing file
> size. I think we dropped the ball on docs.
Yes, OK.  I also wonder how exactly label size is counted in.  It's
added to the aligned value in qemuDomainNVDimmAlignSizePseries with the
argument that label size is mandatory on ppc.  But it's also permitted
on other architectures and I can't see a similar adjustment for them.  I
think QEMU handles it fine in either case (by subtracting label size
from the overall size and aligning the result down) and I guess the
special handling of ppc in libvirt is just not to waste 256 MB
unnecessarily.  Still, all the size shuffling scares me and I can only
hope that I compute my target sizes for the domain XML correctly to make
everything working well...
>> The second problem is that a VM fails to start with a backing NVDIMM in
>> devdax mode due to SELinux preventing access to the /dev/dax* device
(it
>> doesn't happen with any other NVDIMM modes).  Who should be
responsible
>> for handling the SELinux label appropriately in that case?  libvirt,
the
>> system administrator, anybody else?  Using <seclabel> in
NVDIMM's source
>> doesn't seem to be accepted by the domain XML schema.
>
> The expectation is that out of the box SELinux will "just work".
So
> anything that is broken is a bug in either libvirt or selinux policy.
>
> There is no expectation/requirement to use <seclabel> unless you want
> to setup non-default behaviour which isn't the case here.
>
> IOW this sounds like a genuine bug.
OK, I'll try to find out what and where is the problem exactly.

Thank you for the clarifications,
Milan

Milan Zamazal <mzamazal@redhat.com> writes:
> Daniel P. Berrangé <berrange@redhat.com> writes:
>
>> On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote:
>>> The second problem is that a VM fails to start with a backing
NVDIMM in
>>> devdax mode due to SELinux preventing access to the /dev/dax*
device (it
>>> doesn't happen with any other NVDIMM modes).  Who should be
responsible
>>> for handling the SELinux label appropriately in that case? 
libvirt, the
>>> system administrator, anybody else?  Using <seclabel> in
NVDIMM's source
>>> doesn't seem to be accepted by the domain XML schema.
>>
>> The expectation is that out of the box SELinux will "just
work". So
>> anything that is broken is a bug in either libvirt or selinux policy.
>>
>> There is no expectation/requirement to use <seclabel> unless you
want
>> to setup non-default behaviour which isn't the case here.
>>
>> IOW this sounds like a genuine bug.
>
> OK, I'll try to find out what and where is the problem exactly.
The problem apparently is that /dev/dax* is a character device rather
than a block device (such as /dev/pmem*), which is not expected by
SELinux policy rules.

This is an NVDIMM in fsdax mode:

  # ls -lZ /dev/pmem0
  brw-rw----. 1 root disk system_u:object_r:device_t:s0 259, 0 Jul  9 11:39
/dev/pmem0

This is the same NVDIMM reconfigured as devdax:

  # ls -lZ /dev/dax0.0 
  crw-------. 1 root root system_u:object_r:device_t:s0 252, 5 Jul  9 11:43
/dev/dax0.0

(Unix permissions are different, but when I change them to `disk' group
and 660, the same problem still occurs.)

audit.log reports the following when starting a VM with an NVDIMM device
in devdax mode:

  type=AVC msg=audit(1594144691.758:913): avc:  denied  { map } for  pid=21659
comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs"
ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981
tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file
permissive=0
  type=AVC msg=audit(1594144691.758:914): avc:  denied  { map } for  pid=21659
comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs"
ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981
tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file
permissive=0

Indeed, svirt_t map access to svirt_image_t is allowed only for files
and block devices:

  # sesearch -A -p map -s svirt_t -t svirt_image_t
  ...
  allow svirt_t svirt_image_t:blk_file map;
  allow svirt_t svirt_image_t:file map;

What to do about it?  Do I handle the NVDIMM in a wrong way or should
sVirt policies be fixed?

Thanks,
Milan

On Thu, Jul 09, 2020 at 11:53:19AM +0200, Milan Zamazal
wrote:
> Milan Zamazal <mzamazal@redhat.com> writes:
> 
> > Daniel P. Berrangé <berrange@redhat.com> writes:
> >
> >> On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote:
> >>> The second problem is that a VM fails to start with a backing
NVDIMM in
> >>> devdax mode due to SELinux preventing access to the /dev/dax*
device (it
> >>> doesn't happen with any other NVDIMM modes).  Who should
be responsible
> >>> for handling the SELinux label appropriately in that case? 
libvirt, the
> >>> system administrator, anybody else?  Using <seclabel> in
NVDIMM's source
> >>> doesn't seem to be accepted by the domain XML schema.
> >>
> >> The expectation is that out of the box SELinux will "just
work". So
> >> anything that is broken is a bug in either libvirt or selinux
policy.
> >>
> >> There is no expectation/requirement to use <seclabel> unless
you want
> >> to setup non-default behaviour which isn't the case here.
> >>
> >> IOW this sounds like a genuine bug.
> >
> > OK, I'll try to find out what and where is the problem exactly.
> 
> The problem apparently is that /dev/dax* is a character device rather
> than a block device (such as /dev/pmem*), which is not expected by
> SELinux policy rules.
> 
> This is an NVDIMM in fsdax mode:
> 
>   # ls -lZ /dev/pmem0
>   brw-rw----. 1 root disk system_u:object_r:device_t:s0 259, 0 Jul  9 11:39
/dev/pmem0
> 
> This is the same NVDIMM reconfigured as devdax:
> 
>   # ls -lZ /dev/dax0.0 
>   crw-------. 1 root root system_u:object_r:device_t:s0 252, 5 Jul  9 11:43
/dev/dax0.0
> 
> (Unix permissions are different, but when I change them to `disk' group
> and 660, the same problem still occurs.)
> 
> audit.log reports the following when starting a VM with an NVDIMM device
> in devdax mode:
> 
>   type=AVC msg=audit(1594144691.758:913): avc:  denied  { map } for 
pid=21659 comm="qemu-kvm" path="/dev/dax0.0"
dev="tmpfs" ino=1521557
scontext=system_u:system_r:svirt_t:s0:c216,c981
tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file
permissive=0
>   type=AVC msg=audit(1594144691.758:914): avc:  denied  { map } for 
pid=21659 comm="qemu-kvm" path="/dev/dax0.0"
dev="tmpfs" ino=1521557
scontext=system_u:system_r:svirt_t:s0:c216,c981
tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file
permissive=0
> 
> Indeed, svirt_t map access to svirt_image_t is allowed only for files
> and block devices:
> 
>   # sesearch -A -p map -s svirt_t -t svirt_image_t
>   ...
>   allow svirt_t svirt_image_t:blk_file map;
>   allow svirt_t svirt_image_t:file map;
> 
> What to do about it?  Do I handle the NVDIMM in a wrong way or should
> sVirt policies be fixed?
File a BZ against the policy as this looks like a valid use case


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|