mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 14:45:24 +00:00
qemu: Add a qemu.conf option for clearing capabilities
Currently there is no way to opt out of libvirt dropping POSIX capabilities for qemu. This at least is a useful debugging tool, but is also wanted by users (and distributors): https://bugzilla.redhat.com/show_bug.cgi?id=559154 https://bugzilla.redhat.com/show_bug.cgi?id=573850 v2: Clarify qemu.conf comment, warn about security implications v3: Add .aug changes
This commit is contained in:
parent
f9a4df5a5b
commit
8b5bc6c479
@ -39,6 +39,7 @@ module Libvirtd_qemu =
|
|||||||
| str_entry "hugetlbfs_mount"
|
| str_entry "hugetlbfs_mount"
|
||||||
| bool_entry "relaxed_acs_check"
|
| bool_entry "relaxed_acs_check"
|
||||||
| bool_entry "vnc_allow_host_audio"
|
| bool_entry "vnc_allow_host_audio"
|
||||||
|
| bool_entry "clear_emulator_capabilities"
|
||||||
|
|
||||||
(* Each enty in the config is one of the following three ... *)
|
(* Each enty in the config is one of the following three ... *)
|
||||||
let entry = vnc_entry
|
let entry = vnc_entry
|
||||||
|
@ -178,3 +178,12 @@
|
|||||||
# QEMU_AUDIO_DRV environment variable when using VNC.
|
# QEMU_AUDIO_DRV environment variable when using VNC.
|
||||||
#
|
#
|
||||||
# vnc_allow_host_audio = 0
|
# vnc_allow_host_audio = 0
|
||||||
|
|
||||||
|
# If clear_emulator_capabilities is enabled, libvirt will drop all
|
||||||
|
# privileged capabilities of the QEmu/KVM emulator. This is enabled by
|
||||||
|
# default.
|
||||||
|
#
|
||||||
|
# Warning: Disabling this option means that a compromised guest can
|
||||||
|
# exploit the privileges and possibly do damage to the host.
|
||||||
|
#
|
||||||
|
# clear_emulator_capabilities = 1
|
||||||
|
@ -104,6 +104,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
|
|||||||
|
|
||||||
/* Setup critical defaults */
|
/* Setup critical defaults */
|
||||||
driver->dynamicOwnership = 1;
|
driver->dynamicOwnership = 1;
|
||||||
|
driver->clearEmulatorCapabilities = 1;
|
||||||
|
|
||||||
if (!(driver->vncListen = strdup("127.0.0.1"))) {
|
if (!(driver->vncListen = strdup("127.0.0.1"))) {
|
||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
@ -355,6 +356,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
|
|||||||
CHECK_TYPE ("vnc_allow_host_audio", VIR_CONF_LONG);
|
CHECK_TYPE ("vnc_allow_host_audio", VIR_CONF_LONG);
|
||||||
if (p) driver->vncAllowHostAudio = p->l;
|
if (p) driver->vncAllowHostAudio = p->l;
|
||||||
|
|
||||||
|
p = virConfGetValue (conf, "clear_emulator_capabilities");
|
||||||
|
CHECK_TYPE ("clear_emulator_capabilities", VIR_CONF_LONG);
|
||||||
|
if (p) driver->clearEmulatorCapabilities = p->l;
|
||||||
|
|
||||||
virConfFree (conf);
|
virConfFree (conf);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -138,8 +138,8 @@ struct qemud_driver {
|
|||||||
ebtablesContext *ebtables;
|
ebtablesContext *ebtables;
|
||||||
|
|
||||||
unsigned int relaxedACS : 1;
|
unsigned int relaxedACS : 1;
|
||||||
|
|
||||||
unsigned int vncAllowHostAudio : 1;
|
unsigned int vncAllowHostAudio : 1;
|
||||||
|
unsigned int clearEmulatorCapabilities : 1;
|
||||||
|
|
||||||
virCapsPtr caps;
|
virCapsPtr caps;
|
||||||
|
|
||||||
|
@ -3287,7 +3287,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
|
|||||||
int stdin_fd) {
|
int stdin_fd) {
|
||||||
const char **argv = NULL, **tmp;
|
const char **argv = NULL, **tmp;
|
||||||
const char **progenv = NULL;
|
const char **progenv = NULL;
|
||||||
int i, ret;
|
int i, ret, runflags;
|
||||||
struct stat sb;
|
struct stat sb;
|
||||||
int *vmfds = NULL;
|
int *vmfds = NULL;
|
||||||
int nvmfds = 0;
|
int nvmfds = 0;
|
||||||
@ -3501,9 +3501,16 @@ static int qemudStartVMDaemon(virConnectPtr conn,
|
|||||||
for (i = 0 ; i < nvmfds ; i++)
|
for (i = 0 ; i < nvmfds ; i++)
|
||||||
FD_SET(vmfds[i], &keepfd);
|
FD_SET(vmfds[i], &keepfd);
|
||||||
|
|
||||||
|
VIR_DEBUG("Clear emulator capabilities: %d",
|
||||||
|
driver->clearEmulatorCapabilities);
|
||||||
|
runflags = VIR_EXEC_NONBLOCK;
|
||||||
|
if (driver->clearEmulatorCapabilities) {
|
||||||
|
runflags |= VIR_EXEC_CLEAR_CAPS;
|
||||||
|
}
|
||||||
|
|
||||||
ret = virExecDaemonize(argv, progenv, &keepfd, &child,
|
ret = virExecDaemonize(argv, progenv, &keepfd, &child,
|
||||||
stdin_fd, &logfile, &logfile,
|
stdin_fd, &logfile, &logfile,
|
||||||
VIR_EXEC_NONBLOCK | VIR_EXEC_CLEAR_CAPS,
|
runflags,
|
||||||
qemudSecurityHook, &hookData,
|
qemudSecurityHook, &hookData,
|
||||||
pidfile);
|
pidfile);
|
||||||
VIR_FREE(pidfile);
|
VIR_FREE(pidfile);
|
||||||
|
@ -99,6 +99,8 @@ hugetlbfs_mount = \"/dev/hugepages\"
|
|||||||
relaxed_acs_check = 1
|
relaxed_acs_check = 1
|
||||||
|
|
||||||
vnc_allow_host_audio = 1
|
vnc_allow_host_audio = 1
|
||||||
|
|
||||||
|
clear_emulator_capabilities = 0
|
||||||
"
|
"
|
||||||
|
|
||||||
test Libvirtd_qemu.lns get conf =
|
test Libvirtd_qemu.lns get conf =
|
||||||
@ -208,3 +210,5 @@ vnc_allow_host_audio = 1
|
|||||||
{ "relaxed_acs_check" = "1" }
|
{ "relaxed_acs_check" = "1" }
|
||||||
{ "#empty" }
|
{ "#empty" }
|
||||||
{ "vnc_allow_host_audio" = "1" }
|
{ "vnc_allow_host_audio" = "1" }
|
||||||
|
{ "#empty" }
|
||||||
|
{ "clear_emulator_capabilities" = "0" }
|
||||||
|
Loading…
Reference in New Issue
Block a user