qemu: Add a qemu.conf option for clearing capabilities

Currently there is no way to opt out of libvirt dropping POSIX capabilities for qemu. This at least is a useful debugging tool, but is also wanted by users (and distributors): https://bugzilla.redhat.com/show_bug.cgi?id=559154 https://bugzilla.redhat.com/show_bug.cgi?id=573850 v2: Clarify qemu.conf comment, warn about security implications v3: Add .aug changes
2024-12-23 14:15:28 +00:00 · 2010-05-27 19:17:55 -04:00 · 2010-05-27 19:17:55 -04:00 · 8b5bc6c479
commit 8b5bc6c479
parent f9a4df5a5b
6 changed files with 29 additions and 3 deletions
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@ -39,6 +39,7 @@ module Libvirtd_qemu =
                 | str_entry "hugetlbfs_mount"
                 | bool_entry "relaxed_acs_check"
                 | bool_entry "vnc_allow_host_audio"
+                 | bool_entry "clear_emulator_capabilities"

   (* Each enty in the config is one of the following three ... *)
   let entry = vnc_entry
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -178,3 +178,12 @@
 # QEMU_AUDIO_DRV environment variable when using VNC.
 #
 # vnc_allow_host_audio = 0
+
+# If clear_emulator_capabilities is enabled, libvirt will drop all
+# privileged capabilities of the QEmu/KVM emulator. This is enabled by
+# default.
+#
+# Warning: Disabling this option means that a compromised guest can
+# exploit the privileges and possibly do damage to the host.
+#
+# clear_emulator_capabilities = 1
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -104,6 +104,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,

    /* Setup critical defaults */
    driver->dynamicOwnership = 1;
+    driver->clearEmulatorCapabilities = 1;

    if (!(driver->vncListen = strdup("127.0.0.1"))) {
        virReportOOMError();
@ -355,6 +356,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
    CHECK_TYPE ("vnc_allow_host_audio", VIR_CONF_LONG);
    if (p) driver->vncAllowHostAudio = p->l;

+    p = virConfGetValue (conf, "clear_emulator_capabilities");
+    CHECK_TYPE ("clear_emulator_capabilities", VIR_CONF_LONG);
+    if (p) driver->clearEmulatorCapabilities = p->l;
+
    virConfFree (conf);
    return 0;
 }
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -138,8 +138,8 @@ struct qemud_driver {
    ebtablesContext *ebtables;

    unsigned int relaxedACS : 1;
-
    unsigned int vncAllowHostAudio : 1;
+    unsigned int clearEmulatorCapabilities : 1;

    virCapsPtr caps;

--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -3287,7 +3287,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
                              int stdin_fd) {
    const char **argv = NULL, **tmp;
    const char **progenv = NULL;
-    int i, ret;
+    int i, ret, runflags;
    struct stat sb;
    int *vmfds = NULL;
    int nvmfds = 0;
@ -3501,9 +3501,16 @@ static int qemudStartVMDaemon(virConnectPtr conn,
    for (i = 0 ; i < nvmfds ; i++)
        FD_SET(vmfds[i], &keepfd);

+    VIR_DEBUG("Clear emulator capabilities: %d",
+              driver->clearEmulatorCapabilities);
+    runflags = VIR_EXEC_NONBLOCK;
+    if (driver->clearEmulatorCapabilities) {
+        runflags |= VIR_EXEC_CLEAR_CAPS;
+    }
+
    ret = virExecDaemonize(argv, progenv, &keepfd, &child,
                           stdin_fd, &logfile, &logfile,
-                           VIR_EXEC_NONBLOCK | VIR_EXEC_CLEAR_CAPS,
+                           runflags,
                           qemudSecurityHook, &hookData,
                           pidfile);
    VIR_FREE(pidfile);
--- a/src/qemu/test_libvirtd_qemu.aug
+++ b/src/qemu/test_libvirtd_qemu.aug
@ -99,6 +99,8 @@ hugetlbfs_mount = \"/dev/hugepages\"
 relaxed_acs_check = 1

 vnc_allow_host_audio = 1
+
+clear_emulator_capabilities = 0
 "

   test Libvirtd_qemu.lns get conf =
@ -208,3 +210,5 @@ vnc_allow_host_audio = 1
 { "relaxed_acs_check" = "1" }
 { "#empty" }
 { "vnc_allow_host_audio" = "1" }
+{ "#empty" }
+{ "clear_emulator_capabilities" = "0" }