[PATCH v2] qemu: Add a qemu.conf option for clearing capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Currently there is no way to opt out of libvirt dropping POSIX
capabilities for qemu. This at least is a useful debugging tool, but
is also wanted by users (and distributors):

https://bugzilla.redhat.com/show_bug.cgi?id=559154
https://bugzilla.redhat.com/show_bug.cgi?id=573850

v2: Clarify qemu.conf comment, warn about security implications

Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
---
 src/qemu/qemu.conf     |    9 +++++++++
 src/qemu/qemu_conf.c   |    5 +++++
 src/qemu/qemu_conf.h   |    2 +-
 src/qemu/qemu_driver.c |   11 +++++++++--
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 98a1176..93934f3 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -178,3 +178,12 @@
 # QEMU_AUDIO_DRV environment variable when using VNC.
 #
 # vnc_allow_host_audio = 0
+
+# If clear_emulator_capabilities is enabled, libvirt will drop all
+# privileged capabilities of the QEmu/KVM emulator. This is enabled by
+# default.
+#
+# Warning: Disabling this option means that a compromised guest can
+# exploit the privileges and possibly do damage to the host.
+#
+# clear_emulator_capabilities = 1
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 66a949e..d7e61d2 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -104,6 +104,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
 
     /* Setup critical defaults */
     driver->dynamicOwnership = 1;
+    driver->clearEmulatorCapabilities = 1;
 
     if (!(driver->vncListen = strdup("127.0.0.1"))) {
         virReportOOMError();
@@ -355,6 +356,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
     CHECK_TYPE ("vnc_allow_host_audio", VIR_CONF_LONG);
     if (p) driver->vncAllowHostAudio = p->l;
 
+    p = virConfGetValue (conf, "clear_emulator_capabilities");
+    CHECK_TYPE ("clear_emulator_capabilities", VIR_CONF_LONG);
+    if (p) driver->clearEmulatorCapabilities = p->l;
+
     virConfFree (conf);
     return 0;
 }
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 7616d15..0f8a1b3 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -138,8 +138,8 @@ struct qemud_driver {
     ebtablesContext *ebtables;
 
     unsigned int relaxedACS : 1;
-
     unsigned int vncAllowHostAudio : 1;
+    unsigned int clearEmulatorCapabilities : 1;
 
     virCapsPtr caps;
 
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index ad7fb54..3faf31e 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3287,7 +3287,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
                               int stdin_fd) {
     const char **argv = NULL, **tmp;
     const char **progenv = NULL;
-    int i, ret;
+    int i, ret, runflags;
     struct stat sb;
     int *vmfds = NULL;
     int nvmfds = 0;
@@ -3501,9 +3501,16 @@ static int qemudStartVMDaemon(virConnectPtr conn,
     for (i = 0 ; i < nvmfds ; i++)
         FD_SET(vmfds[i], &keepfd);
 
+    VIR_DEBUG("Clear emulator capabilities: %d",
+              driver->clearEmulatorCapabilities);
+    runflags = VIR_EXEC_NONBLOCK;
+    if (driver->clearEmulatorCapabilities) {
+        runflags |= VIR_EXEC_CLEAR_CAPS;
+    }
+
     ret = virExecDaemonize(argv, progenv, &keepfd, &child,
                            stdin_fd, &logfile, &logfile,
-                           VIR_EXEC_NONBLOCK | VIR_EXEC_CLEAR_CAPS,
+                           runflags,
                            qemudSecurityHook, &hookData,
                            pidfile);
     VIR_FREE(pidfile);
-- 
1.6.6.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]