Re: [libvirt] New QEMU daemon for persistent reservations

On Mon, Nov 27, 2017 at 12:51:33PM +0100, Paolo Bonzini wrote: > On 27/11/2017 12:37, Daniel P. Berrange wrote: >> On Mon, Nov 27, 2017 at 12:13:24PM +0100, Paolo Bonzini wrote: >>> Hm, I see what you mean now. But it would be "just" a qemu-pr-helper >>> bug that it trusts the caller to have "ioctl" permissions on the file >>> descriptor, wouldn't it? >>> >>> And it could be a feature even, since the remote QEMU process also has >>> to have "connect" permissions on the qemu-pr-helper socket. So you >>> could give it ioctl access *limited to persistent reservations* by >>> granting the appropriate permissions on the socket. >> >> We can't grant access to the persistent reservation helper's socket on a >> per QEMU basis. Permissions are granted on the domain type svirt_t, and >> we don't want to invent a new domain type just for having access to the >> PR helper. > > You can do so via DAC and MAC on the socket itself, or is that not enough? Yes, you can do MAC on the socket, but that merely gives you protection betweeen the host & guest. The goal of sVirt is to give protection between VMs, and MAC on the socket alone doesn't guarantee that. In the shared-PR helper the PR helper context would not have an MAC level applied, so the MAC check is now process context == qemu_pr_helper_t:s0 file context == svirt_image_t:s0,c340,c524 This is still a MAC check, but it is a weaker check than what sVirt promises, because a QEMU with MCS c340,c524 could pass a file descriptor with a MCS level c123,c422. QEMU would be denied to use this bogus FD, but the PR helper would happily allow this bad access.

So to satisfy sVirt separation of QEMU instances, we need the PR helper to be able to validate the MCS levels, as the kernel no longer has enough info todo this automatically. In the PR helper this is achieved with something like getpeercon(socketfd, &qemucon) => returns svirt_t:s0,c340,c524 fgetfilecont(filefd, &diskcon) => returns svirt_image_t:s0,c340,c524 Then it would call something like security_compute_av(qemucon, diskcon, ...file class..., ...ioctl perm...) to get a MAC decision from the kernel. This preserves the sVirt isolation of individual QEMU instances.