How to solve "Permission denied" error for qemu:commandline in libvirt?

Question

Please find below a sample of my dom xml. I am running the command virsh create and I get this error:

Unable to open file <json file located inside install_dir>

The permissions for this file are all good.

Are there any special permissions needed for parameters under the qemu:commandline tag? Regardless of the parameter and file I mention within this section, I get the error.

 <domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
  <name>my_instance</name>
  <uuid>35615c44-b004-4b3f-9f42-da182b9662ee</uuid>
  <memory unit='KiB'>786432</memory>
  <currentMemory unit='KiB'>786432</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='armv7l' machine='my_machine'>hvm</type>
    <kernel>/home/user/KernelPath/zImage</kernel>
    <dtb>/home/user/DTPPath/emmc.dtb</dtb>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/bin/qemu-system-arm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/home/user/Install_Dir/emmc.dat'/>
      <target dev='sd' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0'/>
    <controller type='scsi' index='0'/>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <serial type='pty'>
      <target port='1'/>
    </serial>
    <serial type='pty'>
      <target port='2'/>
    </serial>
    <serial type='pty'>
      <target port='3'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='vnc' port='60316' autoport='no' websocket='60381' listen=''>
      <listen type='address' address=''/>
    </graphics>
    <graphics type='sdl'/>
    <video>
      <model type='qxl'/>
    </video>
    <memballoon model='none'/>
  </devices>
  <qemu:commandline>
    <qemu:arg value='-spdir'/>
    <qemu:arg value='/home/user/Install_Dir'/>
    <qemu:arg value='-show-cursor'/>
  </qemu:commandline>
</domain>

Answer 1

Libvirt will try to run guests using both a dedicated user account (usually qemu:qemu user/group pair), and also applying either SELinux or AppArmor rules to confine it. Normally libvirt automatically sets file ownership and sets up SELinux/AppArmor policies to "just work". The qemu command line passthrough though is a blackbox to libvirt, so it has no idea it needs to something with your /home/user/Install_Dir path. If your user/group ownership is correct, then its probably the SELinux/AppArmor policies that are denying access. The only viable workaround is to disable them (via /etc/libvirt/qemu.conf), and accept the lower security protection

Answer 2

Running QEMU with root privileges is not advised, as from version 6.0.0 it would not strip the Linux capabilities.

In my case it was AppArmor. I wanted to add an SSDT file for a battery to the VM. There are some folders which AppArmor allows access to, and others (like /home/something) are just not allowed. /var/lib/libvirt/images/ is one of the allowed folders. Although i placed my file there, it was still not allowed by AppArmor policy (as can be seen with sudo cat /var/log/kern.log | grep -C 10 apparmor | grep -C 10 qemu). What worked was adding /var/lib/libvirt/images/SSDT1.dat rk in /etc/apparmor.d/libvirt/TEMPLATE.qemu like this:

#
# This profile is for the domain whose UUID matches this file.
#

#include <tunables/global>

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  /var/lib/libvirt/images/SSDT1.dat rk,
}