On 12/4/19 5:11 AM, Daniel P. Berrangé wrote: > When QEMU uid/gid is set to non-root this is pointless as if we just > used a regular setuid/setgid call, the process will have all its > capabilities cleared anyway by the kernel. > > When QEMU uid/gid is set to root, this is almost (always?) never > what people actually want. People make QEMU run as root in order > to access some privileged resource that libvirt doesn't support > yet and this often requires capabilities. As a result they have > to go find the qemu.conf param to turn this off. This is not > viable for libguestfs - they want to control everything via the > XML security label to request running as root regardless of the > qemu.conf settings for user/group. > > Clearing capabilities was implemented originally because there > was a proposal in Fedora to change permissions such that root, > with no capabilities would not be able to compromise the system. > ie a locked down root account. This never went anywhere though, > and as a result clearing capabilities when running as root does > not really get us any security benefit AFAICT. The root user > can easily do something like create a cronjob, which will then > faithfully be run with full capabilities, trivially bypassing > the restriction we place. > > IOW, our clearing of capabilities is both useless from a security > POV, and breaks valid use cases when people need to run as root. > > This removes the clear_emulator_capabilities configuration > option from qemu.conf, and always runs QEMU with capabilities > when root. The behaviour when non-root is unchanged. > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Reviewed-by: Cole Robinson <crobinso@xxxxxxxxxx> I checked what happens if that option is leftover in qemu.conf, surprisingly dothing, not even a VIR_WARN printed for bogus options. But it looks non-trivial to add in a standardized way - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
