On 01/24/2010 11:57 AM, Dan Kenigsberg wrote:
On Wed, Jan 20, 2010 at 03:14:57PM +0000, Daniel P. Berrange wrote:
This patch series does some work on te security drivers, and the QEMU code
for managing DAC permissions on files.
The core goal is to turn the QEMU driver DAC file management code into a
security driver. Instead of QEMU calling into the SELinux/AppArmour drivers
directly, a stacked driver module is introduced. This delegates all operations
to first the QEMU DAC driver, and then the main SELinux/AppArmour driver.
The end result is that all the permissions management code is removed from
the QEMU driver, and we're left with just simple security driver calls.
In the process of this a number of flaws in the current hotplug code were
found, and code was generally tidied up with a view to making it easier to
manage.
Finally, we add the ability to turn off the QEMU DAC file managment code,
and also deal gracefully with failures to change ownership (eg on NFS with
root squash, or readonly FS).
Thanks for this series. However, it seems that we still have a problem
when trying to save domain to a root-squashing nfs export.
When using qemu directly, as a user with write permissions to that
export, there is no problem. When using libvirt, libvirt tries to write
its own state to the target file. I would not want to pre-create the
target file as world redable.
How about performing open(path, O_CREAT|O_TRUNC|O_WRONLY,
S_IRUSR|S_IWUSR)) with the euid of the qemu process?
I came up with a patch that creates the domain state file by first
forking, followed by the child process doing setuid(qemu) and all the
write-to-the-file stuff that creates the file (similar to the recent
virFileCreate patch). This works all the way up through qemu's appending
its state onto the file.
The trouble comes when qemudDomainSave calls
securityDriver->domainRestoreSavedStateLabel() (in this case,
qemuSecurityStackedRestoreSavedStateLabel()). That function first calls
the primary security driver's qemuSecurityDACRestoreSavedStateLabel(),
which will fail because it attempts to chown the file to 0,0 (to prevent
other qemu instances from messing with it). That can be disabled by
setting "dynamic_ownership=0" in qemu.conf (needed in several other
places when stuff is stored on root-squashing NFS anyway :-/). Then the
stacked security driver calls the secondary security driver's
SELinuxRestoreSavedStateLabel(), which also fails because of an SELinux
function (matchpathcon) returning failure. We could ignore this failure,
but that would create an unnecessary security hole for all those
installations that *aren't* storing their domains on root-squashing NFS.
So I *think* what I'm looking for a good way to avoid the SELinux stuff
when the destination file is located on a root-squashing NFS share, but
not ignore it otherwise (I believe the consensus is that we *don't* want
to require another configuration knob if at all possible, since that
would not only lead to extra complexity of config, but also to
uninformed users turning it off when not necessary). Does anyone have
any good ideas for doing this (or for a different approach)?
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list