[libvirt] [patch v2 1/1] virt-aa-helper: Add support for smartcard host-certificates

Christian Ehrhardt christian.ehrhardt at canonical.com
Thu Jan 16 09:43:02 UTC 2020 

On Thu, Dec 5, 2019 at 6:25 PM Arnaud Patard <apatard at hupstream.com> wrote:

> When emulating smartcard with host certificates, qemu needs to
> be able to read the certificates files. Add necessary code to
> add the smartcard certificates file path to the apparmor profile.
>
> Passthrough support has been tested with spicevmc and remote-viewer.
>
> v2:
> - Fix CodingStyle
> - Add support for 'host' case.
> - Add a comment to mention that the passthrough case doesn't need
>   some configuration
> - Use one rule with '{,*}' instead of two rules.
>
> Signed-off-by: Arnaud Patard <apatard at hupstream.com>
> Index: libvirt/src/security/virt-aa-helper.c
> ===================================================================
> --- libvirt.orig/src/security/virt-aa-helper.c
> +++ libvirt/src/security/virt-aa-helper.c
> @@ -1271,6 +1271,39 @@ get_files(vahControl * ctl)
>          }
>      }
>
> +    for (i = 0; i < ctl->def->nsmartcards; i++) {
> +        virDomainSmartcardDefPtr sc = ctl->def->smartcards[i];
> +        virDomainSmartcardType sc_type = sc->type;
> +        char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
> +        if (sc->data.cert.database)
> +            sc_db = sc->data.cert.database;
> +        switch (sc_type) {
> +            /*
> +             * Note: At time of writing, to get this working, qemu
> seccomp sandbox has
> +             * to be disabled or the host must be running QEMU with commit
> +             * 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8.
> +             * It's possibly due to
> libcacard:vcard_emul_new_event_thread(), which calls
> +             * PR_CreateThread(), which calls {g,s}etpriority(). And
> resourcecontrol seccomp
> +             * filter forbids it (cf src/qemu/qemu_command.c which seems
> to always use
> +             * resourcecontrol=deny).
> +             */
> +            case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
> +                virBufferAddLit(&buf, "  \"/etc/pki/nssdb/{,*}\" rk,\n");
>

That path matches the examples in libvirt/qemu and also the fedora nss
package
[root at fedora~]# rpm -qf /etc/pki/nssdb/
nss-3.47.0-2.fc29.x86_64
[root at fedora ~]# ll /etc/pki/nssdb/
total 8
-rw-r--r-- 1 root root 65536 Jan  6  2017 cert8.db
-rw-r--r-- 1 root root  9216 Jan  6  2017 cert9.db
-rw-r--r-- 1 root root 16384 Jan  6  2017 key3.db
-rw-r--r-- 1 root root 11264 Jan  6  2017 key4.db
-rw-r--r-- 1 root root   451 Oct 23 11:23 pkcs11.txt
-rw-r--r-- 1 root root 16384 Jan  6  2017 secmod.db

But on Debian/Ubuntu the paths are slightly different.
root at x:~# dpkg -L libnss3-nssdb
[...]
/var/lib/nssdb/key4.db
/var/lib/nssdb/cert9.db
/var/lib/nssdb/pkcs11.txt
/var/lib/nssdb/secmod.db

Therefore I'd ask you to add that path as well here.


+                break;
> +            case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
> +                virBufferAsprintf(&buf, "  \"%s/{,*}\" rk,\n", sc_db);
> +                break;
>

>From https://libvirt.org/formatdomain.html#elementsSmartcard
"An additional sub-element <database> can specify the absolute path to an
alternate directory ... if not present, it defaults to /etc/pki/nssdb."
That is in "VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE".
Have you tested if sc_db is actually set to
"VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE"
in that case?
If it is e.g. undefined we need to check for that and add
"VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE"
instead.

Furthermore actually this lets us define:
  <smartcard mode='host-certificates'>
    <certificate>cert1</certificate>
    <certificate>cert2</certificate>
    <certificate>cert3</certificate>
    <database>/etc/pki/nssdb/</database>
  </smartcard>

There could be two guests using rather different cert[1-3] and there is no
need letting them cross read right?
So instead of
  virBufferAsprintf(&buf, "  \"%s/{,*}\" rk,\n", sc_db);
maybe something like this is safer:
iterate on certs-that-are-defined => cert
    virBufferAsprintf(&buf, "  \"%s/%s\" rk,\n", sc_db, cert);



> +            /*
> +             * Nothing to do for passthrough, as the smartcard
> +             * access is done through TCP or Spice
> +             */
> +            case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
> +                break;
> +            case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
> +                break;
> +        }
> +    }
> +
>      if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>          for (i = 0; i < ctl->def->nnets; i++) {
>              virDomainNetDefPtr net = ctl->def->nets[i];
>
>
>

-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200116/970f2bad/attachment-0001.htm>

More information about the libvir-list mailing list