[libvirt] improve security by adjusting the privileges of libvirtd processes
yebiaoxiang
yebiaoxiang at huawei.com
Tue Nov 17 06:35:52 UTC 2020
Thanks for the information, that's really a good news.
I'll learn more about modular daemons .
Regards,
BiaoXiang
On 2020/11/16 21:22, Daniel P. Berrangé wrote:
> On Mon, Nov 16, 2020 at 08:12:22PM +0800, yebiaoxiang wrote:
>> Hi Team
>>
>> The daemon libvirtd runs as root user, which against the least privilege
>> security model.
>>
>> root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen
>>
>> In addition, the "--listen" parameter exposes TCP or TLS ports on the network,
>> it increasing the attack surface.
>>
>> tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd
>> tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd
>>
>> I have the following puzzles:
>> 1. Whether root is the least privilege required for libvirtd to manage
>> virtualization platforms, it's possible to run libvirtd as a non-root user?
>
> The libvirtd daemon is our so called "monolithic" daemon that does
> everything
>
> There are two modes libvirtd can operate in. system mode where it is
> running as root, and session mode where it is running as an unprivileged
> user.
>
> The main issue is that session mode lacks *many* features, because if you
> are unprivileged you can't do many operations. For example, QEMU can't
> use most networking features, it can't use PCI host device assignment,
> it can't use huge pages, is limited in cgroups features, and more.
>
> So data center / cloud virtualization apps, always use libvirtd in system
> mode and run running as root.
>
> The unprivileged session mode is only really useful for desktop virt, and
> even then it is a bit painful to be limited in features.
>
>> 2. Is there any plan to resolve this security weaknesses?
>> (like move the function of "--listen" to an independent non-root process,
>> or other good idea)
>
> We have introduced a new set of modular daemons to replace libvirtd.
> In this case, there is one daemon for each libvirt driver. so we have
> a virtqemud, virtnodedevd, virtnetworkd, virtstoraged, and so on.
>
> Many of these daemons will still need to run as root, however, because
> you still have the issue of needing to use features which are only
> available as root.
>
> Some of them though are more amenable to lockdown. In particular the
> TCP based remote access is in a separate virtproxyd daemon. That could
> be made to run unprivileged without much difficulty.
>
>
> We still ship with libvirtdas the default, but we want to switch to
> the modular daemons by default very soon.
>
> More info is here:
>
> https://libvirt.org/daemons.html
>
> Regards,
> Daniel
>
More information about the libvir-list
mailing list