[libvirt] [PATCH 0/5] security_stack: Perform rollback if one of stacked drivers fails

Thu Oct 10 10:43:56 UTC 2019

On Thu, Oct 10, 2019 at 11:29:17AM +0100, Richard W.M. Jones wrote:
> On Wed, Oct 09, 2019 at 07:49:29PM -0400, Cole Robinson wrote:
> > In that bug, I see that rjones (cc'd) said that libvirt not
> > remembering labels/uid causes issues for libguestfs that requires
> > workarounds. Rich, do you have links to threads or bug reports where
> > this is described in more detail?
> 
> I think there are two problems (which I often confuse) and they are
> possibly related.  This one where libvirt doesn't restore permissions
> afterwards, and the other one where qemu:///session cannot be used as
> root which implies that when you run libguestfs as root it doesn't
> have access to things that root would normally have access to (bug 890291
> / 1045069).
> 
> In answer to your question this is the only one I could find which is
> definitely related to this bug:
> 
> https://www.redhat.com/archives/libguestfs/2013-May/msg00115.html

Anything related to device nodes & permissions/ownership shouldn't
be an issue any more.  We switched to create a private mount namespace
for each QEMU and setup a custom /dev populated with only the devices
QEMU is allowed.  Thus we should no longer be touching permisisons/owners
in the real /dev

> Here's another one, but I think this is related to the other bug:
> 
> https://bugs.launchpad.net/nova/+bug/1241659/comments/6
> 
> I suspect there are cases where openstack sets LIBGUESTFS_BACKEND=direct
> to workaround one of these two bugs.
> 
> Is fixing the qemu:///session as root problem going to also solve this?

If we had a real qemu:///session mode running QEMU itself as root, then
we would never change permissions/ownership. We would still need to be
changing SELinux labels & so the label restore logic is needd there.

We should be able to use qemu:///system & the DAC driver to run QEMU
as root though. There was previously a problem wrt monitor sockets
that you hit when trying this with libguestfs, but I believe that
should now be fixed:

  https://bugzilla.redhat.com/show_bug.cgi?id=890291#c30

If using the DAC driver to request running as root, the only remaining
difference in terms of permissions is that we clear CAP_DAC_OVERRIDE,
so the root user will only be able to access files which explicitly
grant root access. We could fix this limitation in the DAC driver
I believe to allow capabilities to be retained.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|