[libvirt] path for user provided all-guest-read-only content
Feel free to read [1] for context, here the quote that made me poll for opinions: "it would be nice in the future to have some standardized path for user provided guest-read-only stuff" The TL;DR of their case is: - extra info they want to pass, but is not part of libvirts guest description (qemu-cmdline in their case) - apparmor blocks their access to an unknown path There are no reliable paths today to put data for a guest. Guests are names with their ID in the paths - so even knowing the guest name - they are not predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be different next time). Due to that I can see their use-case for "let all read from there", but OTOH "let all" always feels wrong at first from a security POV. Therefore i wanted to poll for opinions on this before suggesting any change. [1]: https://github.com/coreos/bugs/issues/2083#issuecomment-380404427 -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
On Wed, Apr 11, 2018 at 05:01:04PM +0200, Christian Ehrhardt wrote:
Feel free to read [1] for context, here the quote that made me poll for opinions: "it would be nice in the future to have some standardized path for user provided guest-read-only stuff"
The TL;DR of their case is: - extra info they want to pass, but is not part of libvirts guest description (qemu-cmdline in their case) - apparmor blocks their access to an unknown path
There are no reliable paths today to put data for a guest. Guests are names with their ID in the paths - so even knowing the guest name - they are not predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be different next time).
Due to that I can see their use-case for "let all read from there", but OTOH "let all" always feels wrong at first from a security POV.
So the core problem here is that they're using command line passthrough, and using an arg that tells QEMU to open a file. Libvirt of course does not know about that file, so doesn't setup security policies for that file. Your suggestion is to define a special path for apps to use for cases where comamnd line passthrough is in use. This suggestion will only work with AppArmor though because it can list wildcard paths in the policy file we generate, so libvirt doesn't need to know the exact path the app used in the command line passthrough. With SELinux there is no equivalent mechanism - access is granted by setting context on the file, so libvirt must know the exact files used. Similarly this will break if users have activated the DAC security driver to assign a distinct user / group ID per guest, because again we need to know the exact filename to set ownership on. I don't want to define a special path that applications can use if it is only ever going to work on certain platforms / configurations. The only supportable option here is to simply never use command line passthrough. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Christian Ehrhardt -
Daniel P. Berrangé