Public bug reported:
libvirt in 10.04 is now compiled with libcap-ng. According to
http://libvirt.org/drvqemu.html#securitycap this will affect QEMU/KVM access to
files if libvirt is configured to launch VMs as root (the default in Ubuntu,
see bug #522619 for why). From the libvirt.org page:
"The Linux capability feature is thus aimed primarily at the scenario where the
QEMU processes are running as root. In this case, before launching a QEMU
virtual machine, libvirtd will use libcap-ng APIs to drop all process
capabilities. It is important for administrators to note that this implies the
QEMU process will only be able to access files owned by root, and not files
owned by any other user."
As it happens, the AppArmor security driver (which is enabled by
default) disallows the SETPCAP capability, which is needed to drop these
capabilities. As such, these capabilties is not dropped and libvirt
behaves in much the same way as it would without being compiled with
libcap-ng, like in previous releases of Ubuntu (this is not a security
issue because the VM is confined by a restrictive AppArmor profile).
This means that accesses VMs in $HOME still work.
However (and this is where the potential problem is) if someone disables the
AppArmor security driver or adds this capability to the AppArmor profile, then
SETPCAP is available and any VMs that need access to disk files, etc not owned
by root will break with the following in /var/log/libvirt/qemu/<machine>.log:
qemu: could not open disk image /home/.../disk0.qcow2: Permission denied
This could be a serious regression for people using QEMU/KVM without
AppArmor.
ProblemType: Bug
Architecture: i386
Date: Tue Feb 16 14:30:49 2010
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130)
Package: libvirt-bin 0.7.5-5ubuntu7
ProcEnviron:
PATH=(custom, user)
LANG=en_US.utf8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-13.18-generic
SourcePackage: libvirt
Uname: Linux 2.6.32-13-generic i686
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: Triaged
** Tags: apport-bug i386 lucid
--
compiling with libcap-ng disallows qemu/kvm access to files not owned by root
when not using AppArmor
https://bugs.launchpad.net/bugs/522845
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
