1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 07:59:00 +00:00
Daniel P. Berrangé 1902356231 qemu: keep capabilities when running QEMU as root
When QEMU uid/gid is set to non-root this is pointless as if we just
used a regular setuid/setgid call, the process will have all its
capabilities cleared anyway by the kernel.

When QEMU uid/gid is set to root, this is almost (always?) never
what people actually want. People make QEMU run as root in order
to access some privileged resource that libvirt doesn't support
yet and this often requires capabilities. As a result they have
to go find the qemu.conf param to turn this off. This is not
viable for libguestfs - they want to control everything via the
XML security label to request running as root regardless of the
qemu.conf settings for user/group.

Clearing capabilities was implemented originally because there
was a proposal in Fedora to change permissions such that root,
with no capabilities would not be able to compromise the system.
ie a locked down root account. This never went anywhere though,
and as a result clearing capabilities when running as root does
not really get us any security benefit AFAICT. The root user
can easily do something like create a cronjob, which will then
faithfully be run with full capabilities, trivially bypassing
the restriction we place.

IOW, our clearing of capabilities is both useless from a security
POV, and breaks valid use cases when people need to run as root.

This removes the clear_emulator_capabilities configuration
option from qemu.conf, and always runs QEMU with capabilities
when root.  The behaviour when non-root is unchanged.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-11 16:01:20 +00:00
..
2019-10-24 08:10:37 +02:00
2019-09-03 15:37:54 -06:00

       libvirt library code README
       ===========================

The directory provides the bulk of the libvirt codebase. Everything
except for the libvirtd daemon and client tools. The build uses a
large number of libtool convenience libraries - one for each child
directory, and then links them together for the final libvirt.so,
although some bits get linked directly to libvirtd daemon instead.

The files directly in this directory are supporting the public API
entry points & data structures.

There are two core shared modules to be aware of:

 * util/  - a collection of shared APIs that can be used by any
            code. This directory is always in the include path
            for all things built

 * conf/  - APIs for parsing / manipulating all the official XML
            files used by the public API. This directory is only
            in the include path for driver implementation modules

 * vmx/   - VMware VMX config handling (used by esx/ and vmware/)


Then there are the hypervisor implementations:

 * bhyve         - bhyve - The BSD Hypervisor
 * esx/          - VMware ESX and GSX support using vSphere API over SOAP
 * hyperv/       - Microsoft Hyper-V support using WinRM
 * lxc/          - Linux Native Containers
 * openvz/       - OpenVZ containers using cli tools
 * phyp/         - IBM Power Hypervisor using CLI tools over SSH
 * qemu/         - QEMU / KVM using qemu CLI/monitor
 * remote/       - Generic libvirt native RPC client
 * test/         - A "mock" driver for testing
 * vbox/         - Virtual Box using native API
 * vmware/       - VMware Workstation and Player using the vmrun tool
 * xen/          - Xen using hypercalls, XenD SEXPR & XenStore


Finally some secondary drivers that are shared for several HVs.
Currently these are used by LXC, OpenVZ, QEMU and Xen drivers.
The ESX, Hyper-V, Power Hypervisor, Remote, Test & VirtualBox drivers all
implement the secondary drivers directly

 * cpu/          - CPU feature management
 * interface/    - Host network interface management
 * network/      - Virtual NAT networking
 * nwfilter/     - Network traffic filtering rules
 * node_device/  - Host device enumeration
 * secret/       - Secret management
 * security/     - Mandatory access control drivers
 * storage/      - Storage management drivers


Since both the hypervisor and secondary drivers can be built as
dlopen()able modules, it is *FORBIDDEN* to have build dependencies
between these directories. Drivers are only allowed to depend on
the public API, and the internal APIs in the util/ and conf/
directories