[libvirt] [PATCH 0/12] Improve security driver handling & QEMU DAC management

Daniel P. Berrange berrange at redhat.com
Tue Jan 26 10:23:01 UTC 2010 

On Tue, Jan 26, 2010 at 12:06:58PM +0200, Dan Kenigsberg wrote:
> On Wed, Jan 20, 2010 at 03:14:57PM +0000, Daniel P. Berrange wrote:
> > This patch series does some work on te security drivers, and the QEMU code
> > for managing DAC permissions on files. 
> > 
> > The core goal is to turn the QEMU driver DAC file management code into a
> > security driver. Instead of QEMU calling into the SELinux/AppArmour drivers
> > directly, a stacked driver module is introduced. This delegates all operations
> > to first the QEMU DAC driver, and then the main SELinux/AppArmour driver. 
> > The end result is that all the permissions management code is removed from 
> > the QEMU driver, and we're left with just simple security driver calls.
> > 
> > In the process of this a number of flaws in the current hotplug  code were
> > found, and code was generally tidied up with a view to making it easier to
> > manage.
> > 
> > Finally, we add the ability to turn off the QEMU  DAC file managment code,
> > and also deal gracefully with failures to change ownership (eg on NFS with
> > root squash, or readonly FS).
> 
> hmmm, there's another problem which this patch set does not address:
> error : virStorageFileGetMetadata:415 : cannot open file '/deep/into/my/root/squashing/export': Permission denied
> 
> With dynamic_ownership = 0, libvirt down not mess with chown, but it now
> assumes that it can read disk images.

That is a not unreasonable assumption. The model we want to support is one
where 

 - App uses virStoragePool APIs to setup the NFS mount point on the host
 - App uses virStorageVol APIs to create the new volume with correct
   ownership at time of creation
 - libvirt starts the guest, without needing chown() due to step 2
   getting ownership correct at time of creation.

If libvirt can't read the directories leading upto the image, then it 
would never have been able to create the volume in the first place. The
patchs we have done have aimed at avoiding root squash problems which
prevent chmod/chown of files between root & non-root. We still assume
that we can read files / browse directories.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list