Currently there is no way to opt out of libvirt dropping POSIX capabilities for qemu. This at least is a useful debugging tool, but is also wanted by users (and distributors): https://bugzilla.redhat.com/show_bug.cgi?id=559154 https://bugzilla.redhat.com/show_bug.cgi?id=573850 v2: Clarify qemu.conf comment, warn about security implications Signed-off-by: Cole Robinson <crobinso@redhat.com> --- src/qemu/qemu.conf | 9 +++++++++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 2 +- src/qemu/qemu_driver.c | 11 +++++++++-- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 98a1176..93934f3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -178,3 +178,12 @@ # QEMU_AUDIO_DRV environment variable when using VNC. # # vnc_allow_host_audio = 0 + +# If clear_emulator_capabilities is enabled, libvirt will drop all +# privileged capabilities of the QEmu/KVM emulator. This is enabled by +# default. +# +# Warning: Disabling this option means that a compromised guest can +# exploit the privileges and possibly do damage to the host. +# +# clear_emulator_capabilities = 1 diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 66a949e..d7e61d2 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -104,6 +104,7 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, /* Setup critical defaults */ driver->dynamicOwnership = 1; + driver->clearEmulatorCapabilities = 1; if (!(driver->vncListen = strdup("127.0.0.1"))) { virReportOOMError(); @@ -355,6 +356,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, CHECK_TYPE ("vnc_allow_host_audio", VIR_CONF_LONG); if (p) driver->vncAllowHostAudio = p->l; + p = virConfGetValue (conf, "clear_emulator_capabilities"); + CHECK_TYPE ("clear_emulator_capabilities", VIR_CONF_LONG); + if (p) driver->clearEmulatorCapabilities = p->l; + virConfFree (conf); return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 7616d15..0f8a1b3 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -138,8 +138,8 @@ struct qemud_driver { ebtablesContext *ebtables; unsigned int relaxedACS : 1; - unsigned int vncAllowHostAudio : 1; + unsigned int clearEmulatorCapabilities : 1; virCapsPtr caps; diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index ad7fb54..3faf31e 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3287,7 +3287,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, int stdin_fd) { const char **argv = NULL, **tmp; const char **progenv = NULL; - int i, ret; + int i, ret, runflags; struct stat sb; int *vmfds = NULL; int nvmfds = 0; @@ -3501,9 +3501,16 @@ static int qemudStartVMDaemon(virConnectPtr conn, for (i = 0 ; i < nvmfds ; i++) FD_SET(vmfds[i], &keepfd); + VIR_DEBUG("Clear emulator capabilities: %d", + driver->clearEmulatorCapabilities); + runflags = VIR_EXEC_NONBLOCK; + if (driver->clearEmulatorCapabilities) { + runflags |= VIR_EXEC_CLEAR_CAPS; + } + ret = virExecDaemonize(argv, progenv, &keepfd, &child, stdin_fd, &logfile, &logfile, - VIR_EXEC_NONBLOCK | VIR_EXEC_CLEAR_CAPS, + runflags, qemudSecurityHook, &hookData, pidfile); VIR_FREE(pidfile); -- 1.6.6.1