[libvirt] [PATCH 03/18] security: Include security_util

Daniel P. Berrangé berrange at redhat.com
Tue Nov 27 15:20:02 UTC 2018


On Fri, Nov 23, 2018 at 09:43:21AM +0100, Michal Privoznik wrote:

> +/* There are four namespaces available (xattr(7)):

s/available/available on Linux/

FreeBSD only supports 'user' and 'system' namespaces

> + *
> + *  user - can be modified by anybody,
> + *  system - used by ACLs
> + *  security - used by SELinux
> + *  trusted - accessibly by CAP_SYS_ADMIN processes only
> + *
> + * Looks like the last one is way to go.

That prevents the QEMU driver using this functionality on any
non-Linux host.

The key problem we obviously face is that of the QEMU process
being able to modify the xattrs maliciously. 'trusted' namespace
solves this for Linux but unsolved for BSD/macOS.

I can only think of two alternative ways to deal with this

 - Use a sidecar file. eg $FILEPATH.libvirt.json
   Works ok for plain files. Troublesome for device nodes.
   Would have to use a file in /var/run/libvirt/devs/$DEVNODE
   perhaps ?

 - Use 'user' label but add a cryptographic signature
   as a further attribute. Doesn't prevent tampering
   but lets us throw away the data when tempering is
   detected.

Did you consider either of these, or any other possible
options ?  I'm still loathe to bake in a solution that will
only work on Linux, despite 99% of our userbase being Linux.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list