On 05/28/2010 09:16 AM, Eric Blake wrote:
On 05/27/2010 05:24 PM, Cole Robinson wrote:
Currently there is no way to opt out of libvirt dropping POSIX capabilities for qemu. This at least is a useful debugging tool, but is also wanted by users (and distributors):
https://bugzilla.redhat.com/show_bug.cgi?id=559154 https://bugzilla.redhat.com/show_bug.cgi?id=573850
Signed-off-by: Cole Robinson <crobinso@redhat.com> --- src/qemu/qemu.conf | 5 +++++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 2 +- src/qemu/qemu_driver.c | 11 +++++++++-- 4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 98a1176..b976dcc 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -178,3 +178,8 @@ # QEMU_AUDIO_DRV environment variable when using VNC. # # vnc_allow_host_audio = 0 +# + +# If clear_emulator_capabilities is enabled, libvirt will drop all POSIX +# capabilities of the QEmu/KVM emulator. This is enabled by default +# clear_emulator_capabilities = 1
s/POSIX/privileged/ - POSIX doesn't say anything about superuser privileges, so we aren't dropping POSIX capabilities.
Okay.
Leaving qemu privileged means that a compromised guest can exploit the privileges and do damage to the hypervisor; is it worth adding additional comments warning the user about the lack of security inherent in clearing the option?
How about # If clear_emulator_capabilities is enabled, libvirt will drop all # privileged capabilities of the QEmu/KVM emulator. This is enabled by # default. # # Warning: Disabling this option means that a compromised guest can # exploit the privileges and possibly do damage to the host. Thanks, Cole