[libvirt] path for user provided all-guest-read-only content
Daniel P. Berrangé
berrange at redhat.com
Thu Apr 12 08:12:24 UTC 2018
On Wed, Apr 11, 2018 at 05:01:04PM +0200, Christian Ehrhardt wrote:
> Feel free to read [1] for context, here the quote that made me poll for
> opinions:
> "it would be nice in the future to have some standardized path for user
> provided guest-read-only stuff"
>
> The TL;DR of their case is:
> - extra info they want to pass, but is not part of libvirts guest
> description (qemu-cmdline in their case)
> - apparmor blocks their access to an unknown path
>
> There are no reliable paths today to put data for a guest. Guests are names
> with their ID in the paths - so even knowing the guest name - they are not
> predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be
> different next time).
>
> Due to that I can see their use-case for "let all read from there", but
> OTOH "let all" always feels wrong at first from a security POV.
So the core problem here is that they're using command line passthrough,
and using an arg that tells QEMU to open a file. Libvirt of course does
not know about that file, so doesn't setup security policies for that
file. Your suggestion is to define a special path for apps to use for
cases where comamnd line passthrough is in use. This suggestion will
only work with AppArmor though because it can list wildcard paths in
the policy file we generate, so libvirt doesn't need to know the exact
path the app used in the command line passthrough. With SELinux there
is no equivalent mechanism - access is granted by setting context on
the file, so libvirt must know the exact files used. Similarly this
will break if users have activated the DAC security driver to assign
a distinct user / group ID per guest, because again we need to know
the exact filename to set ownership on.
I don't want to define a special path that applications can use if it
is only ever going to work on certain platforms / configurations. The
only supportable option here is to simply never use command line
passthrough.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list