[libvirt] [PATCH] qemu: keep capabilities when running QEMU as root

[Cole Robinson]

On 12/4/19 5:11 AM, Daniel P. Berrangé wrote:
> When QEMU uid/gid is set to non-root this is pointless as if we just
> used a regular setuid/setgid call, the process will have all its
> capabilities cleared anyway by the kernel.
> 
> When QEMU uid/gid is set to root, this is almost (always?) never
> what people actually want. People make QEMU run as root in order
> to access some privileged resource that libvirt doesn't support
> yet and this often requires capabilities. As a result they have
> to go find the qemu.conf param to turn this off. This is not
> viable for libguestfs - they want to control everything via the
> XML security label to request running as root regardless of the
> qemu.conf settings for user/group.
> 
> Clearing capabilities was implemented originally because there
> was a proposal in Fedora to change permissions such that root,
> with no capabilities would not be able to compromise the system.
> ie a locked down root account. This never went anywhere though,
> and as a result clearing capabilities when running as root does
> not really get us any security benefit AFAICT. The root user
> can easily do something like create a cronjob, which will then
> faithfully be run with full capabilities, trivially bypassing
> the restriction we place.
> 
> IOW, our clearing of capabilities is both useless from a security
> POV, and breaks valid use cases when people need to run as root.
> 
> This removes the clear_emulator_capabilities configuration
> option from qemu.conf, and always runs QEMU with capabilities
> when root.  The behaviour when non-root is unchanged.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>

Reviewed-by: Cole Robinson <crobinso at redhat.com>

I checked what happens if that option is leftover in qemu.conf,
surprisingly dothing, not even a VIR_WARN printed for bogus options. But
it looks non-trivial to add in a standardized way

- Cole