[libvirt] [PATCH dbus v2] Run system instance as an unprivileged user account

Pavel Hrdina phrdina at redhat.com
Tue Oct 31 15:49:35 UTC 2017 

On Mon, Oct 30, 2017 at 10:02:35AM +0100, Daniel P. Berrange wrote:
> There is no reason for the libvirt-dbus daemon to require root privileges. All
> it actually needs is ability to connect to libvirtd, which can be achieved by
> dropping in a polkit configuration file

s/file/file./

> Now a libvirt connection to the system bus gives you privileges equivalent to
> root, so this doesn't really improve security on its own. It relies on there
> being a dbus policy that prevents users from issuing elevated APIs.
> 
> For example, a DBus policy could allow non-root users to list VMs on the
> system bus and get their status (aka virsh list equiv). In this case, the
> security isolation does give some benefit.
> 
> Security can be further improved if the admin uses the libvirt polkit file to
> restrict what libvirt-dbus is permitted to do.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  configure.ac                                       |  5 ++++
>  data/Makefile.am                                   | 33 ++++++++++++++++++----
>  data/system/libvirt-dbus.rules.in                  |  8 ++++++
>  .../{org.libvirt.conf => org.libvirt.conf.in}      |  5 +++-
>  data/system/org.libvirt.service.in                 |  2 +-
>  libvirt-dbus.spec.in                               |  9 ++++++
>  src/main.c                                         |  8 ++++++
>  7 files changed, 62 insertions(+), 8 deletions(-)
>  create mode 100644 data/system/libvirt-dbus.rules.in
>  rename data/system/{org.libvirt.conf => org.libvirt.conf.in} (87%)

Both newly generated files should be listed in .gitignore as Pino
suggested for v1.

[...]

> diff --git a/data/Makefile.am b/data/Makefile.am
> index 58e855f..3f27b02 100644
> --- a/data/Makefile.am
> +++ b/data/Makefile.am
> @@ -9,18 +9,28 @@ system_servicedir = $(DBUS_SYSTEM_SERVICES_DIR)
>  system_service_DATA = $(system_service_in_files:.service.in=.service)
>  
>  system_policy_files = \
> -	system/org.libvirt.conf
> +	system/org.libvirt.conf.in
>  system_policydir = $(DBUS_SYSTEM_POLICIES_DIR)
> -system_policy_DATA = $(system_policy_files)
> +system_policy_DATA = $(system_policy_files:.conf.in=.conf)
> +
> +polkit_files = \
> +	system/libvirt-dbus.rules.in
> +polkit_policydir = $(sysconfdir)/polkit-1/rules.d

s/polkit_policydir/polkitdir/

> +polkit_policy_DATA = $(polkit_files:.rules.in=.rules)

s/polkit_policy_DATA/polkit_DATA/

Reviewed-by: Pavel Hrdina <phrdina at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20171031/54e4c4be/attachment-0001.sig>

More information about the libvir-list mailing list