Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Socket activation AF_VSOCK (SOCK_STREAM): Client on the host, server in a VM #176

Closed
eriksjolund opened this issue Apr 16, 2022 · 1 comment
Closed

Socket activation AF_VSOCK (SOCK_STREAM): Client on the host, server in a VM #176

eriksjolund opened this issue Apr 16, 2022 · 1 comment

Comments

@eriksjolund
Copy link

eriksjolund commented Apr 16, 2022
edited
Loading

Description

Feature request.

  • Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) runs on the host
    and the systemd user service is running in a Fedora CoreOS VM. The systemd user service uses podman to start the container
    ghcr.io/eriksjolund/socket-activate-echo:vsock.

  • Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) runs on the host
    and the systemd-socket-activate is run by a regular user in a Fedora CoreOS VM. systemd-socket-activate
    uses podman to start the container ghcr.io/eriksjolund/socket-activate-echo:vsock.

Follow these steps to see the audit logs

Open four Bash terminals, terminal 1, terminal 2, terminal 3 and terminal 4 on a Fedora 35 Linux computer.

The Fedora CoreOS VM (next stream) runs Fedora 36 and uses the RPM container-selinux-2.181.0-1.fc36.noarch

  1. Append this text

    Host fcos
         HostName 127.0.0.1
         User core
         Port 2222
         IdentityFile ~/.ssh/id_ed25519_fcos_vm
         NoHostAuthenticationForLocalhost yes
         ServerAliveInterval 300

    to your SSH configuration file ~/.ssh/config.

  2. In terminal 1 start a Fedora CoreOS VM by running

    git clone https://github.com/eriksjolund/socket-activate-echo.git
cd socket-activate-echo
git checkout vsock
sshPort=2222
STREAM=next
CID=20 
mkdir -p ~/.local/share/libvirt/images/
file=$(coreos-installer download -s "${STREAM}" -p qemu -f qcow2.xz --decompress -C ~/.local/share/libvirt/images/)
ssh-keygen -f ~/.ssh/id_ed25519_fcos_vm -t ed25519 -N ""
export REPLACE_ME_SSHKEY=$(cat ~/.ssh/id_ed25519_fcos_vm.pub)
cat vm/echo.butane | envsubst '${REPLACE_ME_SSHKEY}' | butane --strict --pretty --files-dir systemd > file.ign
qemu-kvm -m 2048 \
  -device "vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=$CID" \
  -cpu host -nographic -snapshot \
  -drive "if=virtio,file=$file" \
  -fw_cfg name=opt/com.coreos/config,file=file.ign -nic "user,model=virtio,hostfwd=tcp::${sshPort}-:22"

    Wait until a prompt is shown

    [core@fcos ~]$

  3. In terminal 2 log in with SSH to the root account in the VM

    ssh root@fcos

  4. In terminal 2 run

    /usr/bin/rpm-ostree install --apply-live --allow-inactive audit policycoreutils-python-utils
systemctl start auditd.service
setenforce 0

  5. In terminal 2 check the time

    [root@fcos ~]#  date '+%x %T'
04/16/22 13:09:22

  6. In terminal 3 (on the host) test the echo@demo.service in the VM by running socat on the host

    [esjolund@asus tmp]$ echo hello | socat -t 30 - VSOCK-CONNECT:20:3000
hello

    (20 is the CID number that was given as argument to the qemu command)

  7. In terminal 2 check the audit log

    [root@fcos ~]# ausearch --start 04/16/22  '13:09:22' --raw > /tmp/raw1
[root@fcos ~]# cat /tmp/raw1 | audit2allow 


#============= container_t ==============
allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
allow container_t container_runtime_t:vsock_socket { accept getattr getopt };
[root@fcos ~]# cat /tmp/raw1 
type=AVC msg=audit(1650114572.840:400): avc:  denied  { getattr } for  pid=2108 comm="socket-activate" path="socket:[21684]" dev="sockfs" ino=21684 scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1650114572.840:401): avc:  denied  { getopt } for  pid=2108 comm="socket-activate" path="/var/home/core/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1650114572.840:402): avc:  denied  { getattr } for  pid=2108 comm="socket-activate" path="socket:[21702]" dev="sockfs" ino=21702 scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650114572.840:403): avc:  denied  { getopt } for  pid=2108 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650114572.840:404): avc:  denied  { accept } for  pid=2108 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
[root@fcos ~]# cat /tmp/raw1 | ausearch --start 04/16/22  '13:09:22'
----
time->Sat Apr 16 13:09:32 2022
type=AVC msg=audit(1650114572.840:400): avc:  denied  { getattr } for  pid=2108 comm="socket-activate" path="socket:[21684]" dev="sockfs" ino=21684 scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
----
time->Sat Apr 16 13:09:32 2022
type=AVC msg=audit(1650114572.840:401): avc:  denied  { getopt } for  pid=2108 comm="socket-activate" path="/var/home/core/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
----
time->Sat Apr 16 13:09:32 2022
type=AVC msg=audit(1650114572.840:402): avc:  denied  { getattr } for  pid=2108 comm="socket-activate" path="socket:[21702]" dev="sockfs" ino=21702 scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:09:32 2022
type=AVC msg=audit(1650114572.840:403): avc:  denied  { getopt } for  pid=2108 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:09:32 2022
type=AVC msg=audit(1650114572.840:404): avc:  denied  { accept } for  pid=2108 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c470,c862 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
[root@fcos ~]#

  8. In terminal 4 log in with SSH to core@fcos

    ssh core@fcos

  9. In terminal 4 run systemd-socket-activate

    [core@fcos ~]$ systemd-socket-activate -l /tmp/stream.sock -l 4000 -l vsock:4294967295:4000  podman run --rm --name echo2 --network=none ghcr.io/eriksjolund/socket-activate-echo:vsock

  10. In terminal 2 check the time

    [root@fcos ~]# date '+%x %T'
04/16/22 13:24:41

  11. In terminal 3 (on the host) test the echo server that will be activated by systemd-socket-activate in the VM, by running socat on the host

    [esjolund@asus tmp]$ echo hello | socat -t 30 - VSOCK-CONNECT:20:4000
hello

  12. In terminal 2 check the audit logs

    [root@fcos ~]# ausearch --start 04/16/22  '13:24:41' --raw > /tmp/raw2
[root@fcos ~]# cat /tmp/raw2 | audit2allow 


#============= container_t ==============
allow container_t unconfined_t:vsock_socket { accept getattr getopt };
[root@fcos ~]# cat /tmp/raw2
type=AVC msg=audit(1650115489.898:462): avc:  denied  { getattr } for  pid=2226 comm="socket-activate" path="socket:[26023]" dev="sockfs" ino=26023 scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650115489.898:463): avc:  denied  { getopt } for  pid=2226 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650115489.899:464): avc:  denied  { accept } for  pid=2226 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=TIME_ADJNTPVAL msg=audit(1650115496.982:465): op=freq old=-54015623168000 new=-53822488576000
type=SYSCALL msg=audit(1650115496.982:465): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fff45767ae0 a2=fffffffffff377ee a3=7fff457b5080 items=0 ppid=1 pid=1286 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)ARCH=x86_64 SYSCALL=clock_adjtime AUID="unset" UID="chrony" GID="chrony" EUID="chrony" SUID="chrony" FSUID="chrony" EGID="chrony" SGID="chrony" FSGID="chrony"
type=PROCTITLE msg=audit(1650115496.982:465): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
type=TIME_ADJNTPVAL msg=audit(1650115496.982:466): op=freq old=-53822488576000 new=-52316405760000
type=SYSCALL msg=audit(1650115496.982:466): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fff45767af0 a2=fffffffffff3d1b3 a3=7fff457b5080 items=0 ppid=1 pid=1286 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)ARCH=x86_64 SYSCALL=clock_adjtime AUID="unset" UID="chrony" GID="chrony" EUID="chrony" SUID="chrony" FSUID="chrony" EGID="chrony" SGID="chrony" FSGID="chrony"
type=PROCTITLE msg=audit(1650115496.982:466): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
[root@fcos ~]# cat /tmp/raw2 | ausearch --start 04/16/22  '13:24:41'
----
time->Sat Apr 16 13:24:49 2022
type=AVC msg=audit(1650115489.898:462): avc:  denied  { getattr } for  pid=2226 comm="socket-activate" path="socket:[26023]" dev="sockfs" ino=26023 scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:24:49 2022
type=AVC msg=audit(1650115489.898:463): avc:  denied  { getopt } for  pid=2226 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:24:49 2022
type=AVC msg=audit(1650115489.899:464): avc:  denied  { accept } for  pid=2226 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c728,c917 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:24:56 2022
type=PROCTITLE msg=audit(1650115496.982:465): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
type=SYSCALL msg=audit(1650115496.982:465): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fff45767ae0 a2=fffffffffff377ee a3=7fff457b5080 items=0 ppid=1 pid=1286 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=TIME_ADJNTPVAL msg=audit(1650115496.982:465): op=freq old=-54015623168000 new=-53822488576000
----
time->Sat Apr 16 13:24:56 2022
type=PROCTITLE msg=audit(1650115496.982:466): proctitle=2F7573722F7362696E2F6368726F6E7964002D460032
type=SYSCALL msg=audit(1650115496.982:466): arch=c000003e syscall=305 success=yes exit=0 a0=0 a1=7fff45767af0 a2=fffffffffff3d1b3 a3=7fff457b5080 items=0 ppid=1 pid=1286 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)
type=TIME_ADJNTPVAL msg=audit(1650115496.982:466): op=freq old=-53822488576000 new=-52316405760000
[root@fcos ~]#
@eriksjolund eriksjolund mentioned this issue Apr 17, 2022
Closed
@rhatdan
Copy link
Member

rhatdan commented Apr 18, 2022

Fixed in v2.183.0

@rhatdan rhatdan closed this as completed Apr 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eriksjolund @rhatdan