[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2] run QEMU as non-root
Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" + domid, finally "xen-qemudepriv-shared" and root if everything else fails. The uids need to be manually created by the user or, more likely, by the xen package maintainer. To actually secure QEMU when running in Dom0, we need at least to deprivilege the privcmd and xenstore interfaces, this is just the first step in that direction. Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> --- docs/misc/qemu-deprivilege | 34 +++++++++++++++++++++++++++++++++ tools/libxl/libxl_dm.c | 43 ++++++++++++++++++++++++++++++++++++++++++ tools/libxl/libxl_internal.h | 4 ++++ 3 files changed, 81 insertions(+) create mode 100644 docs/misc/qemu-deprivilege diff --git a/docs/misc/qemu-deprivilege b/docs/misc/qemu-deprivilege new file mode 100644 index 0000000..761dca2 --- /dev/null +++ b/docs/misc/qemu-deprivilege @@ -0,0 +1,34 @@ +For security reasons, libxl tries to create QEMU as non-root. +Libxl looks for the following users in this order: + +1) a user named "xen-qemudepriv-$domname" +Where $domname is the name of the domain being created. +To use this, you just need to create a user with the appropriate name +for each domain. For example, if your virtual machine is named "windows": + +adduser --system xen-qemudepriv-windows + + +2) a user named "xen-qemudepriv-base", adding domid to its uid +If xen-qemudepriv-base has uid 6000, and the domid is 25, libxl will try +to use uid 6025. To use this mechanism, you might want to create a large +number of users at installation time. For example: + +adduser --system xen-qemudepriv-base +for i in '' $(seq 1 65335) +do + adduser --system xen-qemudepriv-base$i +done + + +3) a user named "xen-qemudepriv-shared" +As a fall back if both 1) and 2) fail, libxl will use a single user for +all QEMU instances. The user is named xen-qemudepriv-shared. This is +less secure but still better than running QEMU as root. Using this is as +simple as creating just one more user on your host: + +adduser --system xen-qemudepriv-shared + + +4) root +As a last resort, libxl will start QEMU as root. diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index 0c6408d..6981978 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -19,6 +19,8 @@ #include "libxl_internal.h" #include <xen/hvm/e820.h> +#include <sys/types.h> +#include <pwd.h> static const char *libxl_tapif_script(libxl__gc *gc) { @@ -439,6 +441,9 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, int i, connection, devid; uint64_t ram_size; const char *path, *chardev; + struct passwd pwd, *user = NULL; + char *buf; + long buf_size; dm_args = flexarray_make(gc, 16, 1); @@ -878,6 +883,44 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc, default: break; } + + buf_size = sysconf(_SC_GETPW_R_SIZE_MAX); + if (buf_size < 0) { + LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld", buf_size); + goto end_search; + } + buf = libxl__malloc(gc, buf_size); + + if (c_info->name) { + getpwnam_r(libxl__sprintf(gc, "%s-%s", + LIBXL_QEMU_USER_PREFIX, c_info->name), + &pwd, buf, buf_size, &user); + if (user != NULL) + goto end_search; + } + + getpwnam_r(LIBXL_QEMU_USER_BASE, &pwd, buf, buf_size, &user); + if (user != NULL) { + getpwuid_r(user->pw_uid + guest_domid, &pwd, buf, buf_size, &user); + if (user != NULL) + goto end_search; + } + + LOG(WARN, "Could not find user %s-%s or user %s (+domid %d), falling back to %s", + LIBXL_QEMU_USER_PREFIX, c_info->name, LIBXL_QEMU_USER_BASE, + guest_domid, LIBXL_QEMU_USER_SHARED); + + getpwnam_r(LIBXL_QEMU_USER_SHARED, &pwd, buf, buf_size, &user); + if (user != NULL) + goto end_search; + + LOG(WARN, "Could not find user %s, starting QEMU as root", LIBXL_QEMU_USER_SHARED); + +end_search: + if (user) { + flexarray_append(dm_args, "-runas"); + flexarray_append(dm_args, user->pw_name); + } } flexarray_append(dm_args, NULL); return (char **) flexarray_contents(dm_args); diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h index 8eb38aa..cf271b3 100644 --- a/tools/libxl/libxl_internal.h +++ b/tools/libxl/libxl_internal.h @@ -3692,6 +3692,10 @@ static inline void libxl__update_config_vtpm(libxl__gc *gc, */ void libxl__bitmap_copy_best_effort(libxl__gc *gc, libxl_bitmap *dptr, const libxl_bitmap *sptr); + +#define LIBXL_QEMU_USER_PREFIX "xen-qemudepriv" +#define LIBXL_QEMU_USER_BASE LIBXL_QEMU_USER_PREFIX"-base" +#define LIBXL_QEMU_USER_SHARED LIBXL_QEMU_USER_PREFIX"-shared" #endif /* -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |