Permissions issue when accessing drives/partitions

Forum rules
Before you post please read how to get help
powerhouse
Level 5
Level 5
Posts: 965
Joined: Thu May 03, 2012 3:54 am
Location: Israel
Contact:

Permissions issue when accessing drives/partitions

Postby powerhouse » Sun Feb 12, 2017 3:02 pm

I use a batch script to start a Windows VM running under qemu / kvm. The script works fine when I run it using sudo (root privileges).
Obviously it's not a great idea to run a Windows VM with root privileges, so I created a user called qemu_vga with limited permissions. Here is where things get complicated. Below is the script:

Code: Select all

#!/bin/bash

configfile=/etc/vfio-pci.cfg
vmname="win10vm"

vfiobind() {
   dev="$1"
        vendor=$(cat /sys/bus/pci/devices/$dev/vendor)
        device=$(cat /sys/bus/pci/devices/$dev/device)
        if [ -e /sys/bus/pci/devices/$dev/driver ]; then
                echo $dev > /sys/bus/pci/devices/$dev/driver/unbind
        fi
        echo $vendor $device > /sys/bus/pci/drivers/vfio-pci/new_id
   
}


if ps -A | grep -q $vmname; then
   zenity --info --window-icon=info --timeout=15 --text="$vmname is already running." &
   exit 1

else
   cat $configfile | while read line;do
   echo $line | grep ^# >/dev/null 2>&1 && continue
      vfiobind $line
   done

export QEMU_AUDIO_DRV=pa
export QEMU_PA_SAMPLES=8192
export QEMU_AUDIO_TIMER_PERIOD=99
export QEMU_PA_SERVER=/run/user/1000/pulse/native

cp /usr/share/OVMF/OVMF_VARS.fd /tmp/my_vars.fd
chown qemu_vga:qemu_vga /tmp/my_vars.fd

sudo -Hu qemu_vga bash << EOF

taskset -c 0-9 qemu-system-x86_64 \
  -monitor stdio \
  -serial none \
  -parallel none \
  -nodefaults \
  -nodefconfig \
  -enable-kvm \
  -name $vmname,process=$vmname \
  -machine q35,accel=kvm,kernel_irqchip=on,mem-merge=off \
  -cpu host,kvm=off,hv_vendor_id=1234567890ab,hv_vapic,hv_time,hv_relaxed,hv_spinlocks=0x1fff \
  -smp 10,sockets=1,cores=5,threads=2 \
  -m 20G \
  -mem-path /run/hugepages/kvm \
  -mem-prealloc \
  -balloon none \
  -rtc base=localtime,clock=host \
  -vga none \
  -nographic \
  -soundhw hda \
  -device vfio-pci,host=02:00.0,multifunction=on \
  -device vfio-pci,host=02:00.1 \
  -device vfio-pci,host=00:1a.0 \
  -device vfio-pci,host=08:00.0 \
  -drive if=pflash,format=raw,readonly,file=/usr/share/OVMF/OVMF_CODE.fd \
  -drive if=pflash,format=raw,file=/tmp/my_vars.fd \
  -boot order=c \
  -drive id=disk0,if=virtio,cache=none,format=raw,aio=native,file=/dev/mapper/lm13-win10 \
  -drive id=disk1,if=virtio,cache=none,format=raw,aio=native,file=/dev/mapper/photos-photo_stripe \
  -drive id=disk2,if=virtio,cache=none,format=raw,aio=native,file=/dev/mapper/media-photo_raw \
  -netdev type=tap,id=net0,ifname=vmtap0,vhost=on,script=/home/qemu_vga/qemu-ifup.sh,downscript=/home/qemu_vga/qemu-ifdown.sh \
  -device virtio-net-pci,netdev=net0,mac=00:16:3e:00:0e:0e

EOF

exit 0
fi

The script is started with sudo privileges and everything is easy-peachy up until "sudo -Hu qemu_vga bash << EOF". At that point until the EOF label the code is executed as qemu_vga user. I have already solved about all permissions issues by changing permissions in different locations, except the following problem:

Qemu quits with permissions problem when accessing /dev/mapper/lm13-win10, /dev/mapper/photos-photo_stripe, and /dev/mapper/media-photo_raw.

A temporary work around is changing the group from disk to qemu_vga with rw permission, but that can't be the solution, or?

I've been looking into udev rules as well as udisks2 but can't think of a proper way to handle this. Any ideas?

Note: Not directly related to the problem above, I solved some of the permissions issues with qemu/kvm by using a udev rules file named 10-qemu-hw-users.rules in /etc/udev/rules.d with the following content:

Code: Select all

SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm"


I was wondering whether that would be a way to success?
Asus Sabertooth X79, i7 3930K CPU, 8x4GB Kingston DDR3 RAM, Noctua NH-D14 CPU cooler, Gigabyte GTX 970 + PNY Quadro 2000 GPU, Asus Xonar Essence STX, Sandisk Extreme 120GB + Samsung EVO 850 250GB SSD + 5 HDD, Corsair 500R case, SeaSonic 660W Gold X PS

User avatar
txba516
Level 3
Level 3
Posts: 197
Joined: Fri Aug 10, 2007 11:57 am
Location: Atlanta, GA

Re: Permissions issue when accessing drives/partitions

Postby txba516 » Tue Feb 14, 2017 2:16 pm

Maybe you could add the qemu_vga user as a member of the disk group so that it is a secondary group for that user?

Code: Select all

sudo usermod -aG disk qemu_vga

This should allow the user to take advantage of the permissions available to the disk group where assigned.
LM17.2 x64 Cinnamon
Help the forums get answers faster! Mark your fixed problem thread as [SOLVED]

powerhouse
Level 5
Level 5
Posts: 965
Joined: Thu May 03, 2012 3:54 am
Location: Israel
Contact:

Re: Permissions issue when accessing drives/partitions

Postby powerhouse » Tue Feb 14, 2017 4:18 pm

txba516 wrote:Maybe you could add the qemu_vga user as a member of the disk group so that it is a secondary group for that user?

Code: Select all

sudo usermod -aG disk qemu_vga

This should allow the user to take advantage of the permissions available to the disk group where assigned.

Thanks! I have thought about it but am concerned that if I make my VM user qemu_vga member of the disk group, qemu_vga will have access to all the drives, without restrictions.

I'm still not sure how disk/partition/volume mount and access permissions work. For example, udisk2 handles the mounting of disks. Perhaps there is a more granular way to allow qemu_vga to mount or access only the VM LVs (I use LVM)? I just don't know which approach is the best: udev, udisk2, fstab, sudoers - there are too many options and I'm lost.

Perhaps I'm paranoid.
Asus Sabertooth X79, i7 3930K CPU, 8x4GB Kingston DDR3 RAM, Noctua NH-D14 CPU cooler, Gigabyte GTX 970 + PNY Quadro 2000 GPU, Asus Xonar Essence STX, Sandisk Extreme 120GB + Samsung EVO 850 250GB SSD + 5 HDD, Corsair 500R case, SeaSonic 660W Gold X PS


Return to “Scripts & Bash”

Who is online

Users browsing this forum: No registered users and 1 guest