[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] PATCH: Allow QEMU VMs to be run unprivileged



On Thu, Jul 16, 2009 at 03:58:26PM +0200, Daniel Veillard wrote:
> On Thu, Jul 16, 2009 at 01:37:49PM +0100, Daniel P. Berrange wrote:
> > 
> > This patch makes it such that the privileges libvirtd daemon can
> > run unprivileged QEMU guests. The default remains unchanged with
> > QEMU running as root:root, but the package maintainer can request
> > an alternative default user at build time, and the sysadmin can
> > also override this at install time with /etc/libvirt/qemu.conf.
> > 
> > As well as making QEMU setuid/gid to the non-root user, this
> > patch takes care of chown'ing all resources it needs to access.
> > This currently includes
> > 
> >  - /dev/bus/usb/$BUS/$DEVICE  for any assigned USB devices
> >  - /sys/bus/pci/$ADDR/{config,resource*,rom} for PCI devs
> >  - All disk paths
> > 
> > Upon shutdown it will restore ownership to root for all of
> > thesem, except shared/readonly disk images
> > 
> > NB one minor problem is that USB devices attached based
> > on vendor/product ID aren't handled. Need to figure out a
> > way to deal with this....
> 
>   Okay, we can expect some side effect but the best is to get this out
> in next release and make sure our rawhide build activates this (spec
> patch need to be propagated).
> 
>   I think somehow we should make an util function to change uid/gid
> of a file or directory , with a flag to allow recursion, but there isn't
> that much duplication,

I'm not sure about the idea of recursion, there's quite alot of 
files in the /sys/bus/pci/$ADDR directory, and I'm not convinced
that QEMU should be allowed access to all of them. So this has
whitelisted to only those files actually used.

It would still be nice to move this code out. I'm thinking it
could be put into pci.h/.c, and also be given ability to set
SELinux labels. Likewise I think we'll want to introduce a
usb.h/.c file for USB host device mgmt too. So will re-examine
this area of code later.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]