[libvirt] On pidfile security and using -daemonize to start qemu/kvm

Daniel P. Berrange berrange at redhat.com
Thu Sep 3 17:19:31 UTC 2009 

On Wed, Sep 02, 2009 at 02:08:37PM -0500, Charles Duffy wrote:
> I had a brief conversation with Daniel Berrange on IRC this morning 
> regarding race conditions in libvirt's invocation of qemu domains. The 
> preferred approach from qemu's maintainership is using -daemonize at 
> invocation, and then waiting for the process to exit before attempting 
> to connect to the monitor; after this occurs, qemu guarantees monitor 
> availability, so no retry/timeout behavior is necessary.
> 
> Dan pointed out an issue with this approach:
> 
> To determine the PID of the qemu instance started, the -pidfile argument 
> to qemu needs to be used with -daemonize. However, -pidfile writes the 
> requested pidfile with qemu's permissions; if the guest were subverted, 
> it could rewrite its pidfile and lead libvirt to kill other, arbitrary 
> processes.
> 
> Neither changing permissions with -runas rather than prior to invocation 
> nor chown'ing the pidfile from libvirt after creation helps, as qemu 
> keeps a file handle on it open throughout operation (to maintain a POSIX 
> lock on the file).
> 
> 
> However, a workaround exists, and it meshes well with a security fix 
> which needs to be implemented anyhow:
> 
> At present, on initial startup or libvirtd restart, we read the PIDs 
> associated with vCPUs from the monitor in virDetectVcpuPIDs(); doing 
> this on libvirtd restart poses a security risk for the reason given 
> above, so we need to have libvirtd record the PIDs on initial startup 
> (before any untrusted code within the guest is ever run) regardless.
> 
> If we also read the libvirtd pidfile at this same early time (before the 
> guest has been started and thus had an opportunity to run untrusted 
> code) and include its contents when writing out the vCPU PIDs, this 
> would eliminate the issue with pidfile ownership blocking use of -daemonize.

That sounds like it is worth a try at least.  Just remmber the 3 
scenarios to test

 - libvirtd as root, qemu configured to run as root
 - libvirtd as root, qemu configured to run as qemu
 - libvirtd as a normal user, qemu matching

If you can get something that launches QEMU in all these scenariso then
you're onto a winner.

Oh, and make sure you have  capng installed/enabled at build time
because that may cause a little fun too

REgards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list