[libvirt] [PATCH] qemu: Add a qemu.conf option for clearing capabilities

Cole Robinson crobinso at redhat.com
Fri May 28 16:46:12 UTC 2010


On 05/28/2010 09:16 AM, Eric Blake wrote:
> On 05/27/2010 05:24 PM, Cole Robinson wrote:
>> Currently there is no way to opt out of libvirt dropping POSIX
>> capabilities for qemu. This at least is a useful debugging tool, but
>> is also wanted by users (and distributors):
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=559154
>> https://bugzilla.redhat.com/show_bug.cgi?id=573850
>>
>> Signed-off-by: Cole Robinson <crobinso at redhat.com>
>> ---
>>  src/qemu/qemu.conf     |    5 +++++
>>  src/qemu/qemu_conf.c   |    5 +++++
>>  src/qemu/qemu_conf.h   |    2 +-
>>  src/qemu/qemu_driver.c |   11 +++++++++--
>>  4 files changed, 20 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
>> index 98a1176..b976dcc 100644
>> --- a/src/qemu/qemu.conf
>> +++ b/src/qemu/qemu.conf
>> @@ -178,3 +178,8 @@
>>  # QEMU_AUDIO_DRV environment variable when using VNC.
>>  #
>>  # vnc_allow_host_audio = 0
>> +#
>> +
>> +# If clear_emulator_capabilities is enabled, libvirt will drop all POSIX
>> +# capabilities of the QEmu/KVM emulator. This is enabled by default
>> +# clear_emulator_capabilities = 1
> 
> s/POSIX/privileged/ - POSIX doesn't say anything about superuser
> privileges, so we aren't dropping POSIX capabilities.
> 

Okay.

> Leaving qemu privileged means that a compromised guest can exploit the
> privileges and do damage to the hypervisor; is it worth adding
> additional comments warning the user about the lack of security inherent
> in clearing the option?
> 

How about

# If clear_emulator_capabilities is enabled, libvirt will drop all
# privileged capabilities of the QEmu/KVM emulator. This is enabled by #
default.
#
# Warning: Disabling this option means that a compromised guest can
# exploit the privileges and possibly do damage to the host.

Thanks,
Cole




More information about the libvir-list mailing list