[libvirt-users] Which objects does dynamic_ownership apply to?

Michal Privoznik mprivozn at redhat.com
Thu Sep 20 11:25:41 UTC 2018 

On 09/20/2018 12:31 PM, Milan Zamazal wrote:
> Michal Prívozník <mprivozn at redhat.com> writes:
> 
>> On 09/19/2018 12:39 PM, Milan Zamazal wrote:
>>> Hi, I'm playing with dynamic ownership and not all objects have their
>>> owners changed.
>>
>>>
>>> Is dynamic_ownership and its scope documented somewhere, besides the
>>> comment in qemu.conf?
>>>
>>> And what kinds of objects are handled by dynamic ownership?  While some
>>> objects seem to be handled, other objects are apparently unaffected.
>>> For instance /dev/hwrng or a USB host device keep their root owners and
>>> are inaccessible to the VM.  Is that expected or do I have anything
>>> wrong?
>>
>> Basically, if a file is used solely by a domain we can relabel it.
>> However, if a file can be used by other processes (not only qemu) then
>> we must not change its label as we would be effectively cutting of the
>> other processes we know nothing about. In this case, /dev/hwrng might be
>> used by some other process in the system. Also the fact that it's owned
>> by root:root and not readable by anybody except the root user, tells me
>> that we might not want to pass the file to any domain?
> 
> Well, /dev/hwrng may be arguable, although oVirt permits passing it to a
> VM, of course only on explicit user's request.
> 
> But how about host devices such as USB and PCI devices?  For example
> 
>   <hostdev managed="no" mode="subsystem" type="usb">
>       <source>
>           <address bus="3" device="2" />
>       </source>
>       <alias name="ua-3773b389-54be-4fd5-ae8b-2f954470b1a9" />
>       <address bus="0" port="1" type="usb" />
>   </hostdev>
> 
> doesn't change the owner of /dev/bus/usb/003/002 (the same for
> managed="yes"). 

Are you perhaps using namespaces and looking into the parent namespace
rather than into qemu namespace?

 Similarly for a PCI hostdev device /dev/vfio/* owners
> are not changed.  Does the same argument apply?

Again, try looking into the namespace.

> 
> OTOH, a CD-ROM image, which can be shared across domains and at least in
> theory can be accessed by other processes, gets its owner changed.

Well, this is arguable. Firstly, if you want CD-ROM image to be shared,
it needs to have <shareable/> tag, and you may want to either disable
relabelling by <seclabel relabel='no'/> or ensure by other ways that all
qemu processes are able to access it.

Libvirt should not get involved into coming up with a seclabel that
would fit all. In terms of unix uid:gid - libvirt should not try to
figure out which users belong to which groups and try to find such
combination that would fit all. This is sysadmin's responsibility.

> 
> My primary concern right now is what exactly is handled.  We can deal
> with manual ownership changes of certain devices as we have done so far.
> But I'm looking for a more reliable source of information than my
> experiments, to prevent future breakages.  Is it documented anywhere
> what is handled by libvirt and what is not?  Or can it be defined in
> less ambiguous terms than above?

What devices are you changing yourself? We definitely need to go through
the list and evaluate every item.

Michal

More information about the libvirt-users mailing list