[libvirt] path for user provided all-guest-read-only content
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
Feel free to read [1] for context, here the quote that made me poll for
opinions:
"it would be nice in the future to have some standardized path for user
provided guest-read-only stuff"
The TL;DR of their case is:
- extra info they want to pass, but is not part of libvirts guest
description (qemu-cmdline in their case)
- apparmor blocks their access to an unknown path
There are no reliable paths today to put data for a guest. Guests are names
with their ID in the paths - so even knowing the guest name - they are not
predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be
different next time).
Due to that I can see their use-case for "let all read from there", but
OTOH "let all" always feels wrong at first from a security POV.
Therefore i wanted to poll for opinions on this before suggesting any
change.
[1]: https://github.com/coreos/bugs/issues/2083#issuecomment-380404427
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
Attachments:
- attachment.html (text/html — 1.5 KB)
On Wed, Apr 11, 2018 at 05:01:04PM +0200, Christian Ehrhardt wrote:
Feel free to read [1] for context, here the quote that made me poll
for
opinions:
"it would be nice in the future to have some standardized path for user
provided guest-read-only stuff"
The TL;DR of their case is:
- extra info they want to pass, but is not part of libvirts guest
description (qemu-cmdline in their case)
- apparmor blocks their access to an unknown path
There are no reliable paths today to put data for a guest. Guests are names
with their ID in the paths - so even knowing the guest name - they are not
predictable (for example /var/lib/libvirt/qemu/domain-1-guestname/ might be
different next time).
Due to that I can see their use-case for "let all read from there", but
OTOH "let all" always feels wrong at first from a security POV.
So the core problem here is that they're using command line passthrough,
and using an arg that tells QEMU to open a file. Libvirt of course does
not know about that file, so doesn't setup security policies for that
file. Your suggestion is to define a special path for apps to use for
cases where comamnd line passthrough is in use. This suggestion will
only work with AppArmor though because it can list wildcard paths in
the policy file we generate, so libvirt doesn't need to know the exact
path the app used in the command line passthrough. With SELinux there
is no equivalent mechanism - access is granted by setting context on
the file, so libvirt must know the exact files used. Similarly this
will break if users have activated the DAC security driver to assign
a distinct user / group ID per guest, because again we need to know
the exact filename to set ownership on.
I don't want to define a special path that applications can use if it
is only ever going to work on certain platforms / configurations. The
only supportable option here is to simply never use command line
passthrough.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
2416
days inactive
2417
days old
1 comments
2 participants
tags (0)
participants (2)
-
Christian Ehrhardt -
Daniel P. Berrangé