Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 776B22231AA
	for <~alpine/users@lists.alpinelinux.org>; Thu,  4 Jul 2024 16:17:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.com;
	s=s31663417; t=1720109875; x=1720714675; i=daggs@gmx.com;
	bh=veg3G0Od6ezD0L/BkJquNo4Eln9Pb2EjHlWaDLvGNfY=;
	h=X-UI-Sender-Class:MIME-Version:Message-ID:From:To:Cc:Subject:
	 Content-Type:Date:In-Reply-To:References:
	 Content-Transfer-Encoding:cc:content-transfer-encoding:
	 content-type:date:from:message-id:mime-version:reply-to:subject:
	 to;
	b=rFUM8jvVLFMET5sgEFfax8lkB7MgMcp6uYCFoOmeY4VQS+Zuke8VEUEN2t2bs3OC
	 ii2LB+JuiigZvS0DzjHoXTa8XtDwusw0NFBB7b/CIvPw47G+poJTjdkzf6efJ3jVx
	 KmbVtJz1eOX0IjfjKVzduWlGi3Cjoznx+Vza3V9jxY9dYQP5a4vJ7b7GWl5OwsTtn
	 fQ5EJla8TrxvBDgIGZtGsKeerIh1K9gExrKHJeeBHpCvThZqXV6YZmvAzaPzW4g+O
	 iFtM1l2GUYzqq3z0CIQ2rpeNganIYLUczoE2u1+aBU2UWQQjk+gBMyyYF3slgTS2h
	 iL5r23P2edsbkL6bjg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [176.228.135.45] ([176.228.135.45]) by web-mail.gmx.net
 (3c-app-mailcom-bs04.server.lan [172.19.170.170]) (via HTTP); Thu, 4 Jul
 2024 18:17:55 +0200
MIME-Version: 1.0
Message-ID: <trinity-ca8c4581-d670-44eb-a37f-2e45b91b7561-1720109874963@3c-app-mailcom-bs04>
From: daggs <daggs@gmx.com>
To: Natanael Copa <ncopa@alpinelinux.org>
Cc: ~alpine/users@lists.alpinelinux.org
Subject: Re: unable to write to dev node
Content-Type: text/plain; charset=UTF-8
Date: Thu, 4 Jul 2024 18:17:55 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <20240704174637.78fb7052@ncopa-desktop>
References: <trinity-ca06feea-8538-4eff-a897-19e97bc49431-1720102545939@3c-app-mailcom-bs08>
 <20240704174637.78fb7052@ncopa-desktop>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:YJNnCEmV7l7MC9QBQmZ63vkr39ib0rJgpbcbDvMhAEity15hBoeI7TcQodnqKmh5aynse
 aCNlt3ln+EA1Xe6omQKGdIUXjlLxX78tFaZ2euBnuFU2oG+jE+ivY02c1D+CCdXzUxS/7ePB97+k
 Q7NhPJ3Irb/0Bkq2o+8bYzbzpodzUnLqAj+7FO9ryt+L2mVtxZIfhxb693IGNKGWhdaaOGhMg6IE
 q6A3jpBeQe3lwwb7a7+7SL/7Cbo50PixSsNyKUkTk9M8jBq5mYEoreyZAm3yCaj066bGk+Qn9YKx
 80=
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:6U81by7Abyg=;fqBBHGO0UQJy/w8vBUV5pvfjEku
 6OisE8pj62ytbLn8ckmLUafaYGuKQzs4wiH+f9lPqXBC4pgsrRq992IFg8DR0w0R4MlYPO6lR
 JJ05X5zBJ08vrrhNnJD8HEVux2jNbTqW5eWZ8+AkP7m8NQMpjJzJXA7yGPsE409fgFBPiHXGX
 +yoE/d94bwWr4kkWz/0CRErX3mvT8e0vXG91/52Fkaneuxz68XH0no+6ojDdJNsOKipBy9i54
 RdLsvr6sHcpr5BKACqd8ftpj0NM4RxxC3KgmCsCIKbHyFP/c9raLjPi9aBfTOpkwc/16i2GNw
 NQo2RxKDZbdGJxvGLwhUw6/bhB8CBwveOnelfRhIML3N+hzeXEVe25oBMyIMKAGMd1UgFiz/k
 Od1WoLlFp6qbsnoEmDfonHVd8BqfgYzjV6nKDfH66LT3lvteHZr8y/7K4j/hwCipfJHaVZhXX
 mOx86b8Pd9YxDVH+gmHW/Ch91h5Nmu0/o3dGjkkqRVFjtnnDsrP6+SQH/VIa7XBXHIKoWICyJ
 cOWyIfbnAZYfgVELsjvSgCvNNwF0fu55HueD48DNFbUyezqwXniBbq3MRaywAqop+u+fY5P13
 cWH6Rz4OloHkWHYE5F1XKBpk8/KInsnF1cBoPar37IDDSY+CsF1mZll/JWMCsw1zt5O4M+dxt
 wkbQUDkjCsXiO+gfliSIJH9ebsqa8MVzLgdo2C5mSRfcPaefB3q754xWIfkR9w4=
Content-Transfer-Encoding: quoted-printable

> > Greeting,
> >
> > I'm trying to debug a bug under alpine linux when it comes to session =
based libvirt vms.
> > when starting a vm that has a virt nic binded to a bridge, I get this =
error: Unable to create tap device vnet0: Operation not permitted
> > I've looked into the code of libvirt and narrowed it down to this func=
: virNetDevTapCreate
> > I've taken the relevant code to a side file for testing, there is the =
code I use:
> > # include <linux/if.h>
> > # include <linux/if_tun.h>    /* IFF_TUN, IFF_NO_PI */
> > #include <stddef.h>
> > #include <stdlib.h>
> > # include <sys/ioctl.h>
> > #include <fcntl.h>
> > #include <errno.h>
> > #include <stdio.h>
> >
> >
> > enum {
> >    VIR_NETDEV_TAP_CREATE_NONE =3D 0,
> >    /* Bring the interface up */
> >    VIR_NETDEV_TAP_CREATE_IFUP               =3D 1 << 0,
> >    /* Enable IFF_VNET_HDR on the tap device */
> >    VIR_NETDEV_TAP_CREATE_VNET_HDR           =3D 1 << 1,
> >    /* Set this interface's MAC as the bridge's MAC address */
> >    VIR_NETDEV_TAP_CREATE_USE_MAC_FOR_BRIDGE =3D 1 << 2,
> >    /* The device will persist after the file descriptor is closed */
> >    VIR_NETDEV_TAP_CREATE_PERSIST            =3D 1 << 3,
> >    /* The device is allowed to exist before creation */
> >    VIR_NETDEV_TAP_CREATE_ALLOW_EXISTING     =3D 1 << 4,
> > };
> >
> > int main()
> > {
> > 	int fd;
> >         char *tunpath =3D "/dev/net/tun";
> > 	size_t tapfdSize =3D 1;
> >         struct ifreq ifr =3D { 0 };
> > 	unsigned int flags =3D VIR_NETDEV_TAP_CREATE_IFUP;
> > 	if (1)
> > 		flags |=3D VIR_NETDEV_TAP_CREATE_VNET_HDR;
> >
> >         if ((fd =3D open(tunpath, O_RDWR)) < 0) {
> >             perror("Unable to open, is tun module loaded?");
> >             exit(1);
> >         }
> >
> >         snprintf(ifr.ifr_name, 5, "vnet%d", 0);
> >         ifr.ifr_flags =3D IFF_TAP | IFF_NO_PI;
> >         /* If tapfdSize is greater than one, request multiqueue */
> >         if (tapfdSize > 1)
> >             ifr.ifr_flags |=3D IFF_MULTI_QUEUE;
> >
> >         if (flags &  VIR_NETDEV_TAP_CREATE_VNET_HDR)
> >             ifr.ifr_flags |=3D IFF_VNET_HDR;
> >
> >         if (ioctl(fd, TUNSETIFF, &ifr) < 0) {
> >             perror("Unable to create tap device");
> >         }
> >
> >         return 0;
> > }
> >
> > it compiles fine and works under user root.
> > I have a user named foo which I use for the sessioned vm, looking at /=
dev/net/tun's permissions, I see this:
> > $ ll /dev/net/tun
> > crw-rw-rw- 1 root netdev 10, 200 Jul  4 15:52 /dev/net/tun
> >
> > so I added foo to netdev group, now it has the following id output: ui=
d=3D1002(foo) gid=3D1002(foo) groups=3D1002(foo),28(netdev),34(kvm),36(qem=
u),102(libvirt)
> > and ran the code again, I'm getting the same error.
> > I went to the libvirt community and one of the devs tried to help me w=
ith it, he concluded that there is something wrong in the alpine because i=
t works in fedora.
> > in contrast, /dev/null has the same permissions as /dev/net/tun but th=
e group is root and I can write to it as user foo.
> >
> > any ideas what I am missing?
>
> Can you run your app under strace? To show which syscall that fails.
>
$ strace ./test
execve("./test", ["./test"], 0x7ffd948179e0 /* 17 vars */) =3D 0
arch_prctl(ARCH_SET_FS, 0x7f9eff1a1b28) =3D 0
set_tid_address(0x7f9eff1a1f90)         =3D 3922
brk(NULL)                               =3D 0x559659075000
brk(0x559659077000)                     =3D 0x559659077000
mmap(0x559659075000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,=
 -1, 0) =3D 0x559659075000
mprotect(0x7f9eff19e000, 4096, PROT_READ) =3D 0
mprotect(0x5596579ff000, 4096, PROT_READ) =3D 0
open("/dev/net/tun", O_RDWR|O_LARGEFILE) =3D 3
ioctl(3, TUNSETIFF, 0x7ffd72891cf0)     =3D -1 EPERM (Operation not permit=
ted)
writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"Unable to create tap=
 device", iov_len=3D27}], 2Unable to create tap device) =3D 27
writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D":", iov_len=3D1}], 2=
:) =3D 1
writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D" ", iov_len=3D1}], 2=
 ) =3D 1
writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"Operation not permit=
ted", iov_len=3D23}], 2Operation not permitted) =3D 23
writev(2, [{iov_base=3D"", iov_len=3D0}, {iov_base=3D"\n", iov_len=3D1}], =
2
) =3D 1
exit_group(0)                           =3D ?
+++ exited with 0 +++


> Do you run this under docker? if so it might be libseccomp that is
> causing problems.
no, I'm running inside a libvirt qemu vm. e.g. nested vm

>
> -nc
>
> >
> > Thanks,
> >
> > Dagg
>
>