Re: [libvirt] [PATCH] qemu: Add a qemu.conf option for clearing capabilities

On 05/27/2010 05:24 PM, Cole Robinson wrote: > Currently there is no way to opt out of libvirt dropping POSIX > capabilities for qemu. This at least is a useful debugging tool, but > is also wanted by users (and distributors): > > https://bugzilla.redhat.com/show_bug.cgi?id=559154 > https://bugzilla.redhat.com/show_bug.cgi?id=573850 > > Signed-off-by: Cole Robinson <crobinso(a)redhat.com&gt; > --- > src/qemu/qemu.conf | 5 +++++ > src/qemu/qemu_conf.c | 5 +++++ > src/qemu/qemu_conf.h | 2 +- > src/qemu/qemu_driver.c | 11 +++++++++-- > 4 files changed, 20 insertions(+), 3 deletions(-) > > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 98a1176..b976dcc 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -178,3 +178,8 @@ > # QEMU_AUDIO_DRV environment variable when using VNC. > # > # vnc_allow_host_audio = 0 > +# > + > +# If clear_emulator_capabilities is enabled, libvirt will drop all POSIX > +# capabilities of the QEmu/KVM emulator. This is enabled by default > +# clear_emulator_capabilities = 1 s/POSIX/privileged/ - POSIX doesn't say anything about superuser privileges, so we aren't dropping POSIX capabilities.

Leaving qemu privileged means that a compromised guest can exploit the privileges and do damage to the hypervisor; is it worth adding additional comments warning the user about the lack of security inherent in clearing the option?