[libvirt] [PATCH] qemu: don't share kerberos caches between domains
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file. * src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for each domain. --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 55d00e3..986e8ee 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1,7 +1,7 @@ /* * qemu_process.h: QEMU process management * - * Copyright (C) 2006-2012 Red Hat, Inc. + * Copyright (C) 2006-2013 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn, virCommandSetPidFile(cmd, priv->pidfile); virCommandDaemonize(cmd); virCommandRequireHandshake(cmd); + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name); ret = virCommandRun(cmd, NULL); -- 1.8.1
On 2013年01月24日 09:26, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file.
* src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for each domain. --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 55d00e3..986e8ee 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1,7 +1,7 @@ /* * qemu_process.h: QEMU process management * - * Copyright (C) 2006-2012 Red Hat, Inc. + * Copyright (C) 2006-2013 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn, virCommandSetPidFile(cmd, priv->pidfile); virCommandDaemonize(cmd); virCommandRequireHandshake(cmd); + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name);
ACK.
On Wed, Jan 23, 2013 at 06:26:49PM -0700, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file.
Rare chance for me to point out a typo to Eric instead of the other way around:-P s/Kerboros/Kerberos/ Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 01/23/2013 08:26 PM, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file.
* src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for each domain. --- src/qemu/qemu_process.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 55d00e3..986e8ee 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -1,7 +1,7 @@ /* * qemu_process.h: QEMU process management * - * Copyright (C) 2006-2012 Red Hat, Inc. + * Copyright (C) 2006-2013 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn, virCommandSetPidFile(cmd, priv->pidfile); virCommandDaemonize(cmd); virCommandRequireHandshake(cmd); + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name);
ret = virCommandRun(cmd, NULL);
Thanks for taking a stab at this. The environment variable is actually called KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. There's also KRB5RCACHENAME for pointing to a file path. What all this means is that someone should probably reproduce the bug first :) Thanks, Cole
On 01/24/2013 03:53 PM, Cole Robinson wrote:
On 01/23/2013 08:26 PM, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file.
+ virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name);
ret = virCommandRun(cmd, NULL);
Thanks for taking a stab at this. The environment variable is actually called KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. There's also KRB5RCACHENAME for pointing to a file path.
Good thing I haven't pushed yet. Where is this documented, so that I can fix my patch to match Kerberos expectations?
What all this means is that someone should probably reproduce the bug first :)
Unfortunately, I've got a huge learning curve ahead of me if I'm going to reproduce it (I was just implementing what looked like an easy fix based on the bugzilla content). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 01/24/2013 07:05 PM, Eric Blake wrote:
On 01/24/2013 03:53 PM, Cole Robinson wrote:
On 01/23/2013 08:26 PM, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=718377 complains that there were some SELinux AVCs when using vnc console over Kerberos. The root problem was that Kerberos tries to set up a cache file, and if we don't tell it where, then all domains use the same cache file, which violates sVirt protections. Setting the environment variable unconditionally should be safe, even for setups where Kerboros won't actually create a cache file.
+ virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb", + driver->cacheDir, vm->def->name);
ret = virCommandRun(cmd, NULL);
Thanks for taking a stab at this. The environment variable is actually called KRB5RCACHEDIR, and I don't think kerberos creates the directory for us. There's also KRB5RCACHENAME for pointing to a file path.
Good thing I haven't pushed yet. Where is this documented, so that I can fix my patch to match Kerberos expectations?
I just looked at the krb5 code.
What all this means is that someone should probably reproduce the bug first :)
Unfortunately, I've got a huge learning curve ahead of me if I'm going to reproduce it (I was just implementing what looked like an easy fix based on the bugzilla content).
Same reason why I never tested it and submitted the obvious patch :) - Cole
On Thu, Jan 24, 2013 at 07:44:36PM -0500, Cole Robinson wrote:
On 01/24/2013 07:05 PM, Eric Blake wrote:
What all this means is that someone should probably reproduce the bug first :)
Unfortunately, I've got a huge learning curve ahead of me if I'm going to reproduce it (I was just implementing what looked like an easy fix based on the bugzilla content).
Same reason why I never tested it and submitted the obvious patch :)
Actually you really don't need to know much, if anything, about Kerberos to get it working. The key is you don't want to try to install and configure Kerberos. Instead just deploy freeipa, which hides all the Kerberos nastiness from you. You just install the RPMs, then run ipa-server-install, it askes you a couple of really simple questions and then configures kerberos, ldap, certificate manager and more. Configuring client machines is no harder. It is easy to just setup FreeIPA inside a VM Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (4)
-
Cole Robinson -
Daniel P. Berrange -
Eric Blake -
Osier Yang