libvirt/src/qemu/libvirtd_qemu.aug

184 lines
6.9 KiB
Plaintext
Raw Normal View History

(* /etc/libvirt/qemu.conf *)
module Libvirtd_qemu =
autoload xfm
let eol = del /[ \t]*\n/ "\n"
let value_sep = del /[ \t]*=[ \t]*/ " = "
let indent = del /[ \t]*/ ""
let array_sep = del /,[ \t\n]*/ ", "
let array_start = del /\[[ \t\n]*/ "[ "
let array_end = del /\]/ "]"
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
let bool_val = store /0|1/
let int_val = store /[0-9]+/
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
let unlimited_val = del /\"/ "\"" . store /unlimited/ . del /\"/ "\""
let limits_entry (kw:string) = [ key kw . value_sep . unlimited_val ] | [ key kw . value_sep . int_val ]
(* Config entry grouped by function - same order as example config *)
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
| bool_entry "default_tls_x509_verify"
| str_entry "default_tls_x509_secret_uuid"
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
| str_entry "vnc_tls_x509_cert_dir"
| str_entry "vnc_tls_x509_secret_uuid"
| bool_entry "vnc_tls_x509_verify"
| str_entry "vnc_password"
2009-03-16 13:54:26 +00:00
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
| bool_entry "vnc_allow_host_audio"
let spice_entry = str_entry "spice_listen"
| bool_entry "spice_tls"
| str_entry "spice_tls_x509_cert_dir"
| bool_entry "spice_auto_unix_socket"
| str_entry "spice_password"
| bool_entry "spice_sasl"
| str_entry "spice_sasl_dir"
let chardev_entry = bool_entry "chardev_tls"
| str_entry "chardev_tls_x509_cert_dir"
| bool_entry "chardev_tls_x509_verify"
| str_entry "chardev_tls_x509_secret_uuid"
let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
| bool_entry "migrate_tls_x509_verify"
| str_entry "migrate_tls_x509_secret_uuid"
| bool_entry "migrate_tls_force"
let backup_entry = str_entry "backup_tls_x509_cert_dir"
| bool_entry "backup_tls_x509_verify"
| str_entry "backup_tls_x509_secret_uuid"
let vxhs_entry = bool_entry "vxhs_tls"
| str_entry "vxhs_tls_x509_cert_dir"
| str_entry "vxhs_tls_x509_secret_uuid"
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
| str_entry "nbd_tls_x509_secret_uuid"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
let remote_display_entry = int_entry "remote_display_port_min"
| int_entry "remote_display_port_max"
| int_entry "remote_websocket_port_min"
| int_entry "remote_websocket_port_max"
let security_entry = str_entry "security_driver"
| bool_entry "security_default_confined"
| bool_entry "security_require_confined"
| str_entry "user"
| str_entry "group"
| bool_entry "dynamic_ownership"
| bool_entry "remember_owner"
| str_array_entry "cgroup_controllers"
| str_array_entry "cgroup_device_acl"
2012-09-17 07:59:53 +00:00
| int_entry "seccomp_sandbox"
| str_array_entry "namespaces"
let save_entry = str_entry "save_image_format"
| str_entry "dump_image_format"
| str_entry "snapshot_image_format"
| str_entry "auto_dump_path"
| bool_entry "auto_dump_bypass_cache"
| bool_entry "auto_start_bypass_cache"
let process_entry = str_entry "hugetlbfs_mount"
| str_entry "bridge_helper"
| str_entry "pr_helper"
| str_entry "slirp_helper"
| str_entry "dbus_daemon"
| bool_entry "set_process_name"
| int_entry "max_processes"
| int_entry "max_files"
| limits_entry "max_core"
| bool_entry "dump_guest_core"
| str_entry "stdio_handler"
| int_entry "max_threads_per_process"
let device_entry = bool_entry "mac_filter"
| bool_entry "relaxed_acs_check"
| bool_entry "allow_disk_format_probing"
| str_entry "lock_manager"
let rpc_entry = int_entry "max_queued"
| int_entry "keepalive_interval"
| int_entry "keepalive_count"
let network_entry = str_entry "migration_address"
| int_entry "migration_port_min"
| int_entry "migration_port_max"
| str_entry "migration_host"
let log_entry = bool_entry "log_timestamp"
let nvram_entry = str_array_entry "nvram"
let debug_level_entry = int_entry "gluster_debug_level"
| bool_entry "virtiofsd_debug"
let memory_entry = str_entry "memory_backing_dir"
let swtpm_entry = str_entry "swtpm_user"
| str_entry "swtpm_group"
qemu: keep capabilities when running QEMU as root When QEMU uid/gid is set to non-root this is pointless as if we just used a regular setuid/setgid call, the process will have all its capabilities cleared anyway by the kernel. When QEMU uid/gid is set to root, this is almost (always?) never what people actually want. People make QEMU run as root in order to access some privileged resource that libvirt doesn't support yet and this often requires capabilities. As a result they have to go find the qemu.conf param to turn this off. This is not viable for libguestfs - they want to control everything via the XML security label to request running as root regardless of the qemu.conf settings for user/group. Clearing capabilities was implemented originally because there was a proposal in Fedora to change permissions such that root, with no capabilities would not be able to compromise the system. ie a locked down root account. This never went anywhere though, and as a result clearing capabilities when running as root does not really get us any security benefit AFAICT. The root user can easily do something like create a cronjob, which will then faithfully be run with full capabilities, trivially bypassing the restriction we place. IOW, our clearing of capabilities is both useless from a security POV, and breaks valid use cases when people need to run as root. This removes the clear_emulator_capabilities configuration option from qemu.conf, and always runs QEMU with capabilities when root. The behaviour when non-root is unchanged. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-28 14:27:54 +00:00
(* Entries that used to exist in the config which are now
* deleted. We keep on parsing them so we don't break
* ability to parse old configs after upgrade
*)
let obsolete_entry = bool_entry "clear_emulator_capabilities"
let capability_filters_entry = str_array_entry "capability_filters"
2013-04-30 14:28:20 +00:00
(* Each entry in the config is one of the following ... *)
let entry = default_tls_entry
| vnc_entry
| spice_entry
| chardev_entry
| migrate_entry
| backup_entry
| nogfx_entry
| remote_display_entry
| security_entry
| save_entry
| process_entry
| device_entry
| rpc_entry
| network_entry
| log_entry
| nvram_entry
| debug_level_entry
| memory_entry
| vxhs_entry
| nbd_entry
| swtpm_entry
| capability_filters_entry
qemu: keep capabilities when running QEMU as root When QEMU uid/gid is set to non-root this is pointless as if we just used a regular setuid/setgid call, the process will have all its capabilities cleared anyway by the kernel. When QEMU uid/gid is set to root, this is almost (always?) never what people actually want. People make QEMU run as root in order to access some privileged resource that libvirt doesn't support yet and this often requires capabilities. As a result they have to go find the qemu.conf param to turn this off. This is not viable for libguestfs - they want to control everything via the XML security label to request running as root regardless of the qemu.conf settings for user/group. Clearing capabilities was implemented originally because there was a proposal in Fedora to change permissions such that root, with no capabilities would not be able to compromise the system. ie a locked down root account. This never went anywhere though, and as a result clearing capabilities when running as root does not really get us any security benefit AFAICT. The root user can easily do something like create a cronjob, which will then faithfully be run with full capabilities, trivially bypassing the restriction we place. IOW, our clearing of capabilities is both useless from a security POV, and breaks valid use cases when people need to run as root. This removes the clear_emulator_capabilities configuration option from qemu.conf, and always runs QEMU with capabilities when root. The behaviour when non-root is unchanged. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-28 14:27:54 +00:00
| obsolete_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
let record = indent . entry . eol
let lns = ( record | comment | empty ) *
let filter = incl "/etc/libvirt/qemu.conf"
. Util.stdexcl
let xfm = transform lns filter