[libvirt] RFC: stop clearing QEMU emulator capabilities
Richard W.M. Jones
rjones at redhat.com
Thu Nov 28 13:16:15 UTC 2019
On Thu, Nov 28, 2019 at 01:04:00PM +0000, Daniel P. Berrangé wrote:
> We have an RFE from libguestfs to provide a way to run as root
> *with* capabilities. I looked integrating this into the DAC security
> manager as a new flag in the security label, but then I started
> thinking about the whole idea of clearing capabilities
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1045039
>
> Pretty much forever we have explicitly cleared QEMU emulator
> capabilities when starting it.
>
> When QEMU uid/gid is set to non-root this is pointless as if we just
> used a regular setuid/setgid call, the process will have all its
> capabilities cleared anyway by the kernel.
>
> When QEMU uid/gid is set to root, this is almost (always?) never
> what people actually want. People make QEMU run as root in order
> to access some privileged resource that libvirt doesn't support
> yet and this often requires capabilities. As a result they have
> to go find the qemu.conf param to turn this off. This is not
> viable for libguestfs - they want to control everything via thue
> XML security label to request running as root regardless of the
> qemu.conf settings for user/group.
>
> Clearing capabilities was implemented originally because there
> was a proposal in Fedora to change permissions such that root,
> with no capabilities would not be able to compromise the system.
> ie a locked down root account. This never went anywhere though,
> and as a result clearing capabilities when running as root does
> not really get us any security benefit AFAICT. The root user
> can just do something like create a cronjob, which will then
> faithfully be run with full capabilities, trivially bypassing
> the restriction we place.
>
> IOW, our clearing of capabilities is both useless from a security
> POV, and breaks valid use cases when people need to run as root.
>
> I'm thinking we should just rip out the code which clears capabilities
> and allow default loggic to run
>
> - If uid/gid is non-root, then no capabilities are present
> - If uid/gid is root, then full capabilities are present
All seems reasonable to me ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the libvir-list
mailing list