[libvirt] [PATCH 03/18] security: Include security_util
Michal Privoznik
mprivozn at redhat.com
Wed Nov 28 11:48:57 UTC 2018
On 11/28/18 11:00 AM, Daniel P. Berrangé wrote:
> On Wed, Nov 28, 2018 at 09:35:49AM +0100, Michal Privoznik wrote:
>> On 11/27/18 4:20 PM, Daniel P. Berrangé wrote:
>>> On Fri, Nov 23, 2018 at 09:43:21AM +0100, Michal Privoznik wrote:
>>>
>>>> +/* There are four namespaces available (xattr(7)):
>>>
>>> s/available/available on Linux/
>>>
>>> FreeBSD only supports 'user' and 'system' namespaces
>>
>> D'oh!
>>
>>>
>>>> + *
>>>> + * user - can be modified by anybody,
>>>> + * system - used by ACLs
>>>> + * security - used by SELinux
>>>> + * trusted - accessibly by CAP_SYS_ADMIN processes only
>>>> + *
>>>> + * Looks like the last one is way to go.
>>>
>>> That prevents the QEMU driver using this functionality on any
>>> non-Linux host.
>>>
>>> The key problem we obviously face is that of the QEMU process
>>> being able to modify the xattrs maliciously. 'trusted' namespace
>>> solves this for Linux but unsolved for BSD/macOS.
>>>
>>> I can only think of two alternative ways to deal with this
>>>
>>> - Use a sidecar file. eg $FILEPATH.libvirt.json
>>> Works ok for plain files. Troublesome for device nodes.
>>> Would have to use a file in /var/run/libvirt/devs/$DEVNODE
>>> perhaps ?
>>
>> I rather not create files. If there is a bug and libvirt doesn't remove
>> the file on the last restore (or it gets refcounting wrong or something)
>> then it requires user intervention.
>
> Isn't that true of this series too - ie if we update the xattr for
> refcount wrong, or fail to remove the xattr on last restore ?
Yes, this the same. If there is a bug then unlink() and setxattr() don't
differ from this POV.
>
> Feels like we have the same possible source of bugs, just against
> an unlink() call rather than a setxattr() call.
>
> The existance of libvirt's sidecar files on disk would be more
> obviously to an admin.
>
> That said tellin people to "rm" the file is kinda dangerous if
> they typo and rm the real disk file that's alongside. Using a
> completely 100% separate directory would solve that.
Except we can't do that. If there is a file accessible to two daemons
(e.g. running on the same host in two different containers) the daemons
can't have their private DB, it has to be shared -> because of
refcounting. If the DB was private then one daemon could not
increment/decrement the refcounter inside the other daemon (consider two
daemons, one starting domain A, the other starting domain B, then the
first destroying domain A).
I mean, this is the sole reason I chose XATTRs and not some in memory
list/mapping of original owners.
>
>> Not only that, but the file would need to be owned by root:root (in
>> order to avoid malicious users mangling its contents) which might not be
>> possible at all times (e.g. root squashed NFS). On the other hand, NFS
>> itself doesn't support XATTRs currently so these patches do not with
>> that filesystem.
>
> Yeah, root sqaush NFS is horrible :-(
>
>>
>>>
>>> - Use 'user' label but add a cryptographic signature
>>> as a further attribute. Doesn't prevent tampering
>>> but lets us throw away the data when tempering is
>>> detected.
>>
>> I'm not sure how this would work with multiple daemons. They would have
>> to have the key shared among them. I mean, if one daemon sets the
>> attribute and signs it with its own key and then comes another daemon
>> and updates the attribute it needs to sign it with the very same key
>> otherwise the signature would be invalidated from the first daemon POV.
>
> Yeah, it would need shared keys in some manner which is a very big
> pain point.
>
>>
>>>
>>> Did you consider either of these, or any other possible
>>> options ? I'm still loathe to bake in a solution that will
>>> only work on Linux, despite 99% of our userbase being Linux.
>>
>> Not really. I focused on Linux and haven't realized BSD doesn't support
>> trusted.
>>
>> Now that I am playing with this it looks like 'system' while being
>> available on both Linux and BSD can't really be set on Linux. But it can
>> be set on BSD (for privileged user only of course). I'm wondering if
>> using 'trusted' on Linux and 'system' on BSD is the way to go. This
>> could work except for cases where BSD and Linux meet, which can be only
>> on NFS (right?) which doesn't support XATTRs anyway. Therefore I think
>> we are safe, aren't we?
>
> I expect eventually NFSv4 may get xattr support - there's a 1 year old
> RFC for it:
>
> https://tools.ietf.org/html/rfc8276
>
> Any app using xattr is going to face this same problem unless they only
> use the common "user" namespace
>
> Maybe justusing trusted (Linux) and system (BSD) is good enough for
> us to get started, and we can allow for a different system (side car
> files, or attribute signatures) in future if it becomes needed.
Agreed.
Michal
More information about the libvir-list
mailing list