Re: [libvirt] RFC: stop clearing QEMU emulator capabilities

On Thu, Nov 28, 2019 at 01:04:00PM +0000, Daniel P. Berrangé wrote: > We have an RFE from libguestfs to provide a way to run as root > *with* capabilities. I looked integrating this into the DAC security > manager as a new flag in the security label, but then I started > thinking about the whole idea of clearing capabilities > > https://bugzilla.redhat.com/show_bug.cgi?id=1045039 > > Pretty much forever we have explicitly cleared QEMU emulator > capabilities when starting it. > > When QEMU uid/gid is set to non-root this is pointless as if we just > used a regular setuid/setgid call, the process will have all its > capabilities cleared anyway by the kernel. > > When QEMU uid/gid is set to root, this is almost (always?) never > what people actually want. People make QEMU run as root in order > to access some privileged resource that libvirt doesn't support > yet and this often requires capabilities. As a result they have > to go find the qemu.conf param to turn this off. This is not > viable for libguestfs - they want to control everything via thue > XML security label to request running as root regardless of the > qemu.conf settings for user/group. > > Clearing capabilities was implemented originally because there > was a proposal in Fedora to change permissions such that root, > with no capabilities would not be able to compromise the system. > ie a locked down root account. This never went anywhere though, > and as a result clearing capabilities when running as root does > not really get us any security benefit AFAICT. The root user > can just do something like create a cronjob, which will then > faithfully be run with full capabilities, trivially bypassing > the restriction we place. > > IOW, our clearing of capabilities is both useless from a security > POV, and breaks valid use cases when people need to run as root. > > I'm thinking we should just rip out the code which clears capabilities > and allow default loggic to run > > - If uid/gid is non-root, then no capabilities are present > - If uid/gid is root, then full capabilities are present All seems reasonable to me ...