[libvirt] Re: [RFC] sVirt v0.10 - initial prototype

Tue Oct 21 13:57:15 UTC 2008

James Morris wrote:
> This is a request for comments on the initial prototype release of sVirt, 
> a project to add security labeling support to Linux-based virtualization.
> 
> Project page: 
>   http://www.selinuxproject.org/page/SVirt
> 
> Previous libvirt discussions:
> 
>   High-level requirements:
>     https://www.redhat.com/archives/libvir-list/2008-August/msg00255.html
> 
>   XML security labels:
>     https://www.redhat.com/archives/libvir-list/2008-August/msg00740.html
> 
> A patch for libvirt is attached; and also included in a release tarball at 
> http://namei.org/svirt/.  See 'readme.txt' there for more details on 
> building and running the code.
> 
> The purpose of this release is to establish a proof of concept of applying 
> security labels to VMs, and for discussion of the underlying technical 
> approach.
> 
> With this release, it is possible to define a security label for a 
> kvm/qemu domain in its XML configuration ('virsh edit'), launch the domain 
> and have it transition to the specified security label ('virsh start'), 
> then query the security label of the running domain ('virsh dominfo').
> 
> The following changes were made to libvirt:
> 
> 1. Implementing a pluggable security label driver framework;
> 
> 2. Implementing an SELinux security label driver for (1);
> 
> 3. Wiring the security label framework into the Qemu driver;
> 
> 4. Implementing basic libvirt API calls for initializing the driver, 
>    and getting/setting domain security labels;
> 
> 5. Extending the domain XML configuration to include security labels;
> 
> 6. Adding domain security label display/edit/dump support to virsh.
> 
> One of the design principles I've followed with this is to reduce or 
> eliminate configuration wherever possible.  If a variety of security 
> labeling drivers are present, libvirtd automatically detects which one to 
> enable and enables it.  e.g. if SELinux is enabled on the system, the 
> SELinux labeling driver is enabled automatically when livbirtd starts.
> 
> Another is to treat security labels as opaque unless they're actually 
> being used for security purposes (e.g. to launch the domain).  So, virsh 
> and the domain configuration code currently do not need to semantically 
> interpet security labels, just understand their format.  This should suit 
> the initial simple goal of isolated domains, which only requires security 
> labels to be distinct.
> 
> The domain security label configuration format is as follows:
> 
> # virsh dumpxml sys1
> <domain>
>     ....
>   <seclabel model='selinux'>
>     <label>system_u:system_r:virtd_t:s0</label>
>     <policytype>targeted</policytype>
>   </seclabel>
> </domain>
> 
> It's possible to query the security label of a running domain via virsh:
> 
> # virsh dominfo sys1
> Id:             1
> Name:           sys1
> UUID:           fa3c8e06-0877-2a08-06fd-f2479b7bacb4
> OS Type:        hvm
> State:          running
> CPU(s):         1
> CPU time:       11.4s
> Max memory:     524288 kB
> Used memory:    524288 kB
> Autostart:      disable
> Security label: system_u:system_r:virtd_t:s0 (selinux/targeted/enforcing)
> 
> The security label is deterimed via the new virDomainGetSecLabel() API 
> method, which is transported over RPC to the backend driver (qemu in this 
> case), and is entirely independent of the local security model, if any.  
> e.g. this command could be run remotely from an entirely different 
> platform: you just see what's happening on the remote system, as with 
> other attributes of the domain.
> 
> Feedback on the design thus far is sought before proceeding to more 
> comprehensive integration.
> 
> In particular, I'd be interested in any thoughts on the placement of the 
> security labeling driver within libvirt, as this seems to be the most 
> critical architectural issue (I've already refactored this aspect once).  
> 
> Currently, the idea is to attach the security labeling driver to the virt 
> driver, rather than implement it independently as a top-level component as 
> in the case of other types of drivers (e.g. storage).  This is because 
> process-based security labeling is highly dependent on the kind of 
> virtualization in use, and may not make sense at all in some cases (e.g. 
> when using a non-Linux hypervisor, or containers).
> 
> In the case of qemu, a security labeling driver is added to qemud:
> 
> @@ -63,6 +64,7 @@ struct qemud_driver {
>      char *vncListen;
>  
>      virCapsPtr caps;
> +    virSecLabelDriverPtr secLabelDriver;
>  };
> 
> and then initialized during qemud startup from qemudSecLabelInit().  
> 
> During initialization, any available security labeling drivers are probed, 
> and the first one which thinks it should be used is installed. Top-level 
> libvirt API calls are then dispatched to the active security labeling 
> driver via the backend virt driver, as necessary.
> 
> Note that the security labeling framework in this release is always 
> built-in -- it can be made a compile-time option later if desired.
> 
> Requirements not yet addressed include:
> - Labeling of resources and generally comprehensive labeling management
> - Automatic labeling (e.g. for the simple isolation use-case)
> - Integration of labeling support into higher-level management tools such 
>   as virt-manager
> - Integration with the audit subsystem to help with administration and 
>   debugging
> - Domain of interpretation (DOI) checking/translation
> - Python bindings
> 
> As mentioned, the goal at this stage is to get feedback on the underlying 
> design: comments welcome!
> 
> 
> - James
> 
Why do we care about the policy type?  Policy type is a fairly
meaningless object.  If you are trying to figure out if the host machine
is valid to run a virtual machine you should just check whether the type
is valid on the machine,  That way if I define minimum policy with virt
support on one host and targeted policy with virt support on another
machine, both would work.  Finally I think it might be ok for the
administrator to request that this virtual machine would only run on a
machine with SELinux in enforcing mode. For example if you had a fairly
untrusted virtual machine you would want to ensure that the machine was
enforcing SELinux before it got started.