[libvirt] [PATCH 0/5] security_stack: Perform rollback if one of stacked drivers fails

Cole Robinson crobinso at redhat.com
Wed Oct 9 23:49:29 UTC 2019 

On 9/16/19 5:12 AM, Michal Privoznik wrote:
> See 5/5 for explanation.
> 
> Michal Prívozník (5):
>    security: Pass @migrated to virSecurityManagerSetAllLabel
>    security: Rename virSecurityManagerGetDriver() to
>      virSecurityManagerGetVirtDriver()
>    security: Introduce virSecurityManagerGetDriver()
>    security_stack: Turn list of nested drivers into a doubly linked list
>    security_stack: Perform rollback if one of stacked drivers fails
> 
>   src/lxc/lxc_process.c            |   2 +-
>   src/qemu/qemu_process.c          |   3 +-
>   src/qemu/qemu_security.c         |   6 +-
>   src/qemu/qemu_security.h         |   3 +-
>   src/security/security_apparmor.c |   3 +-
>   src/security/security_dac.c      |   3 +-
>   src/security/security_driver.h   |   3 +-
>   src/security/security_manager.c  |  17 ++-
>   src/security/security_manager.h  |   4 +-
>   src/security/security_nop.c      |   3 +-
>   src/security/security_selinux.c  |   9 +-
>   src/security/security_stack.c    | 220 +++++++++++++++++++++++++------
>   tests/qemusecuritytest.c         |   2 +-
>   tests/securityselinuxlabeltest.c |   2 +-
>   14 files changed, 222 insertions(+), 58 deletions(-)
> 

I gotta admit I'm seriously wondering if supporting this label 
remembering stuff is worth it. I know you've put a heroic amount of work 
into it over a long period of time, but I think it's worth taking 
another look at this whole thing end to end to decide whether it's worth 
the complexity for what we are actually getting

The old RHEL bug that was tracking this is here: 
https://bugzilla.redhat.com/show_bug.cgi?id=547546

It's closed because it was against RHEL7 and these patches aren't going 
to hit RHEL7. Is there still a major product or project issue that this 
is solving?

In that bug, I see that rjones (cc'd) said that libvirt not remembering 
labels/uid causes issues for libguestfs that requires workarounds. Rich, 
do you have links to threads or bug reports where this is described in 
more detail?

 From the end user distro perspective, the main place I have 
historically heard people complain about this is basically:

* download $ISO to home, owned by uid=crobinso
* point virt-manager at it, which uses qemu:///system
* VM starts, $ISO chown'd to uid=qemu
* VM stops, $ISO chown'd to uid=root
* Now there's a root owned image in your homedir.

Worse, if you have a /media directory somewhere shared over http or some 
other service, owned as a non-root user, then changing to root owner can 
disrupt that access. This issue definitely annoys users. Unfortunately 
remember_owner doesn't help here because it's limited to RW media, which 
generally is less often shared than things like ISOs.

I'm interested in hearing other concrete usecases that are solved by 
remember_owner (or at one time we thought would be solved by this)

(in the mean time I will review your patches tomorrow)

Thanks,
Cole

More information about the libvir-list mailing list