[libvirt] RFC: extending sVirt to confine host apps which talk to libvirtd

What follows is a document outlining some thoughts I've been having on extending sVirt to allow confinement of applications which talk to libvirtd on the host, primarily focusing on use of SELinux, but also allowing a simple non-SElinux RBAC mechanism. Securing KVM virtualization hosts with MAC ========================================== This document looks at the task of securing KVM virtualizaton hosts using mandatory access control technologies, with focus on SELinux. At the time of writing there have been two phases of development, and this document makes proposals for a third phase. Phase 1: circa 2006 ------------------- Goal: Protect the host from a compromised virtual machine. The first phase of development had the modest goal of protecting the host from attack by a compromised virtual machine. To achieve this, the KVM processes are configured such that they will run under a confined security context ('virt_t' in the SELinux reference policy), which blocks access to any host resources not labelled ('virt_image_t') for use by virtual machines. The primary limitations of this initial implementation is that while the virtual host is secured, there is no protection between virtual machines. This can be considered a regression in isolation as compared to that offered by non-virtualized hosts. The second limitation is that the virtualization admin has to take care to ensure the host resources intended for use by the virtual machines are correctly labelled. This is a manual setup taks unless the images are kept in a preset location (/var/lib/libvirt/images in the SELinux reference policy). Phase 2: March 2009 ------------------- Goal: Protect virtual machines from each other The second phase of development has the goal of providing isolation between virtual machines that is comparable to that achieved between physical machines. This piece of work is commonly referred to as "svirt". The achieve this, the KVM processes are each configured to run under a dedicated security context, which blocks access to any resources not explicitly assigned to that virtual machine. In the SELinux implementation, the base context "svirt_t" has a unique MCS category ("c240,c955") appended to form a unique security context "system_u:system_r:svirt_t:s0:c240,c955". For each host resource to be assigned to the virtual machine, the base context "svirt_image_t" is combined with the same MCS category to form a unique resource security context "system_u:object_r:svirt_image_t:s0:c240,c955". The assignment of virtual machine security contexts and labelling of resources can be done statically by the administrator / management application, or dynamically by the libvirtd daemon. The latter removes much of the administrator burden. The second phase has addressed the major guest security limitation of the first phase, and eased the burden placed on host administors. Attention can now focus on the security of the host management software stack. Client applications communicate with the libvirtd daemon using a simple sockets based RPC protocol. Thus operations initiated by client applications which run under one security context are in fact invoked under the libvirtd daemon's security context. Since the libvirtd daemon is a highly privileged, almost unconfined process, this provides a means for applications to elevate their privileges. A second problem with the current model is seen when looking at guest migration between hosts. During migration, there are two QEMU processes running for the same virtual machine, one process on each host. The dynamic assignment of MCS values to form unique security contexts is done on a per host basis, so there is no guarantee that the VM on host A will be using (or be able to use) the same security context on the target host of migration. This is not neccessarily a problem if the guest is using block devices, since block device inode labels are only visible to a single host. With a shared filesystem that supports SELinux labelling, like GFS2, both QEMU processes must run in the same security context to allow them both to access the associated files. Phase 3: June 2011 ------------------ Goal: Protect virtual machines from host applications The third phase of development has the primary goal of honouring the confinement of client applications talking to libvirtd, when performing operations on virtual machines and other managed objects (storage pools, host devices, virtual networks, secrets, etc). Every application connecting to libvirt has an associated security context. Every object managed by libvirtd will have an associated security context. When an operation is invoked via a libvirt API the client application security context will be checked against the target object context, before proceeding. Thus applications will not be able to make use of a libvirtd connection to perform operations that are otherwise blocked. The secondary goal is to add further flexibility and safety to the way MCS categories are assigned, and files are relabelled. Instead of maintaining a local database of assigned labels, there must be some shared storage where label usage can be recorded. At its simplest this can be an NFS share, with one file per MCS category and locking with fcntl(). An alternative would to be acquire leases using a lock manager such as sanlock. In addition, the guest configuration will be enhanced such that a guest can be assigned a statically chosen security context, but still make use of dynamic relabelling of resources. Finally the existing boolean mode of 'static' vs 'dynmamic' label generation will be turned into a tri-state, introducing a 'hybrid' mode where the client supplies a custom base context, and the MCS part is still auto-generated. Usage scenarios --------------- To aid in development a couple of relevant core use cases or usage scenarios have been identified: 1. A virtual machine monitoring application For this example, consider the simple monitoring application 'virt-top'. This application displays a list of all virtual machines on the host and their associated resource utilization (CPU, disk, network). This application has no need to be able to stop/start/define virtual machines, nor do any operation related to host devices, storage, or networking. Traditionally this application is written to use a read only libvirt connection. With enhanced access control from libvirtd, the policy would define a new security context 'virt_top_t' for the 'virt-top' application. This policy would allow 'list', 'read', 'readstats' on the 'domain' object type. 2. A multi-guest, multi-user MLS enabled host For this example, consider a virtualizaton host with MLS policy that is running multiple virtual machines, for a variety of different users. A user with the security level "restricted" must not be allowed to control virtual machines with a security level of "confidential". Conversely a user with security level "secret" must not be allowed to create virtual machines with a security level of "unclassified". With enhanced access control from libvirtd, getpeercon() would provide the security context of the client application (user). The client context would be used to perform an AVC when any API operation is invoked, thus ensuring that the client's MLS label is honoured in access control checks. The effect would be that when an 'restricted' user asked for a list of virtual machines only virtual machines at level 'restricted' or below would be returned. Or when a "secret" user asked to start a guest when a security level of 'unclassified', the operation would be denied. 3. Identity transitions from trusted agents For this example, consider a trusted agent such as libvirt-qpid, or libvirt-snmp, which translates the libvirt API from its native model, into an alternate access model. In such an example, the agent talking to libvirtd will have authenticated itself. The peer identity that libvirtd sees, however, is that of the agent, not the ultimate (end-user) client. In such a case it will desirable to allow a trusted agent to transition to a different identity when performing operations. An end user running under context "unconfined_u:unconfined_r:virt_top_t:s0-s0:c0.c1023" may talk to the libvirt-qpid agent which runs under the context "system_u:system_r:virt_qpid_t:s0-s0:c0.c1023". The libvirt-qpid connects to libvirtd which sees 'virt_qpid_t' as the client type. The policy is written to allow transitions from 'virt_qpid_t' to the 'virt_top_t' type, so when the virt-top client connects to libvirt-qpid, it changes its identity to 'virt_top_t'. From that point onwards, all AVC checks honour the privileges of the ultimate end user application, rather than the libvirt-qpid intermediary. The same mechanism also ensures that the client application MLS level is transferred via the libvirt-qpid agent to libvirtd. Anticipated Development tasks ----------------------------- 1. Extend the domain XML to add a third attribute to the <seclabel> element relabel="yes|no", to control whether libvirtd will automatically label resources assigned to a guest. If the existing 'mode' attribute is "dynamic", then relabelling will default to enabled, while if it is 'static', then relabelling will default to disabled. Also change 'mode' to allow a new 'hybrid' value. 2. Determine how to maintain/identify security labels for other managed objects, including virStoragePoolPtr, virStorageVolPtr, virSecretPtr, virNetworkPtr, virInterfacePtr, virNodeDevicePtr, an host level APIs without any explicit managed object. 3. Extend XML for non-domain objects to implant security labels as identified in step 2. 4. Create an internal virIdentity struct to store the identity of the client. This will include at least the x509 distinguished name, the SASL username, the SELinux context (getpeercon()) and UNIX username/group (SCM_CREDENTIALS). 5. Create a new public API to allow a client application to supply a new identity, allowing them to pass a new x509 distinguished name, SASL username, SELinux context and UNIX username/group. 6. Extend the libvirtd daemon such that the current identity is stored in a thread local whenever invoking a public API operation. 7. Extend the QEMU driver such that a suitable identity is set when performing autonomous background operations such as domain auto-start and core dump, in a non-API thread. 8. Create a set of internal access control helper APIs in $libvirt/src/accesscontrol/. There will be one API for each managed object, talking an object pointer, and an operation identifier (from an enum). 9. Create a simple impl of the access control APIs which defines roles for groups of user identities, and grants privileges to each role based on the operation names. This allows for simple testing of internal infrastructure, and an RBAC mechanism for users who lack SELinux in their OS. 10. Implant access control checks into the main codepaths of every driver method implementations in the QEMU driver. 11. Change the SELinux reference policy to define the new security types and access vectors for the libvirt objects & associated API calls. 12. Create a SELinux impl of the access control APIs which invokes avc_has_perm() using the client's SELinux context. This is intended to be the primary RBAC mechanism for Fedora/RHEL virtualization hosts. 13. Write policy to confine targetted applications like virt-top, virt-mem. 14. Extend libvirt-snmp, libvirt-cim, libvirt-qpid to pass through the client identity to libvirtd. Technical Notes / Issues ------------------------ 1. Adding new SELinux security classes / access vectors The selinux security classes are defined in /usr/include/selinux/flask.h and access vectors in /usr/include/selinux/av_permissions.h Both of these files are automatically by a script in the selinux reference policy code '$serefpolicy/policy/flask/flask.py'. The master data files are in the same directory, 'access_vectors' and 'security_classes'. Once generated, the headers need to be manually copied into the libselinux package sources. APIs are added to libvirt on a very frequent basis. What is the process for applying access control to them if the SELinux policy does not yet have a suitable access vector / security class defined ? Do we need a generic 'admin' access vector we can use as catch all, until more specific vectors can be defined for the new APIs. Desirable to avoid having to lock-step upgrade libvirt with selinux policy for all additions to the libvirt public API. 2. Security contexts for libvirt managed objects virDomainPtr: Already embedded in XML, unless using dynamic labelling in which case context is assigned at startup. virNetworkPtr: No existing security context, nor any object on disk that could be used. Follow example of domains and embed <seclabel> in the XML. Assign unique MCS category per network and ensure that daemons launched per network (dnsmasq, radvd) inherit the MCS category. virSecretPtr: No existing security context. Secrets may be associated with disk paths for VMs. Could copy the security context of the guests and apply it to the secret, or have a dedicated type svirt_secret_t and just copy the MCS category. Hard to make it work for guests with dynamic MCS assignment. virStoragePoolPtr: No existing security context. Some pool types have objects existing on the host filesystem eg SCSI HBAs have a directory in sysfs, filesystem dirs have a directory somewhere, LVM has directory for the volume group in /dev. Other pool types have no object on disk anywhere convenient. eg Sheepdog. Other pool types only have an object on disk when the pool is active (eg iSCSI, NFS). So there is nothing to use for API checks when the pool is inactive. Likely have to ignore whatever associated resource is on disk and just store a security context in the XML config as with virDomainPtr/virNetworkPtr. virStorageVolPtr: Currently reports the SELinux security label associated with the file on disk. Not all pool types neccessarily have volumes with a corresponding file on disks (eg Sheepdog). virNodeDevicePtr: No existing security context. Most data comes from udev or HAL databases, though ultimately much is available in sysfs. When detaching PCI devices from host drivers, files in sysfs are used. When creating/deleting NPIV adapters sysfs is used. Thus could use sysfs file labels for AVC checks ? virConnectPtr: All host level APIs for which there is no other object aside from the nebulous concept of the 'host'. APIs are all readonly, eg query host capabilities, query free memory, CPU stats, etc. What if we gain APIs to make write calls. virInterfacePtr: No existing security context. Currently using netcf to get data from /etc/sysconfig/network-scripts/ifcfg-XXX files, but can't assume those file names since that is Fedora/RHEL specific. Might not even use netcf if it talks directly to network manager. Does netcf need to expose a security label based on the ifcfg-XXX file ? 3. Security labelling config modes When creating a guest the following XML snippets can be used. a. Default type, dynamic MCS, automatic relabelling <seclabel type='selinux' mode='dynamic' relabel='yes'/> b. Custom type, dynamic MCS, automatic relabelling <seclabel type='selinux' mode='hybrid' relabel='yes'> <label>system_u:system_r:mysvirt_t</label> <imagelabel>system_u:object_r:mysvirt_image_t</imagelabel> </seclabel> c. Default type, dynamic MCS, no relabelling <seclabel type='selinux' mode='dynamic' relabel='no'/> Does this mode make any sense, since admin doesn't know MCS category upfront ? Possibly only useful if the guest only has readonly disks. d. Custom type, dynamic MCS, no relabelling <seclabel type='selinux' mode='hybrid' relabel='no'> <label>system_u:system_r:mysvirt_t</label> </seclabel> Same question about whether it makes sense e. Custom type, static MCS, auto relabelling <seclabel type='selinux' mode='static' relabel='yes'> <label>system_u:system_r:mysvirt_t:s0:c123,c456</label> <imagelabel>system_u:system_r:mysvirt_image_t:s0:c123,c456</imagelabel> </seclabel> f. Custom type, static MCS, no relabelling <seclabel type='selinux' mode='static' relabel='no'> <label>system_u:system_r:mysvirt_t:s0:c123,c456</label> </seclabel> 4. Time at which to apply checks / source context It would be desirable to restrict the ability to use automatic file relabelling within the policy. If a client application defines a guest with the 'relabel=yes' attribute set, at what time should this usage be validated ? Validate at the time the guest is defined ? This ensures the app defining the guest is suitably privileged, but the file labels might be changed by the time the guest starts. Validate at the time the guest is started ? This minimises the window between access check being performed, and libvirtd actually performing the relabel operation. The app starting the guest might be different from the one defining the guest though ? Check at both define + start time ? What source security context should we use when performing autostart of virtual machines ? Normally when starting a VM, the check would be performed using the context of the client invoking the start API, but there is no such client when autostart occurs. Should we instead perform a 'start' operation check whenever the 'autostart' flag is turned on by a client ? Or check the autostart operation against some generic source context ? -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|