Libguestfs - May 2012 - Writing policy for guestfsd in libguestfs live

Dan(s), I hope you can give us some advice on this.

Background: guestfsd is a guest agent.  Normally it runs inside a
special appliance; that's *not* the case that I'm worried about.
There's also another mode where you can run guestfsd inside a regular
Fedora or RHEL guest, and it handles instructions from the host to
perform filesystem operations.

The mode is called 'libguestfs live'[1][2] and architecturally it
looks like this:

           +-------------------------+
           | Fedora/RHEL guest       |
           |                         |
           |   guestfsd (agent)      |  qemu/KVM
           +------^------------------+
                  |
     Host         | (virtio serial channel)
                  v
               libguestfs (library)
               some program using libguestfs,
               eg. guestfish, a virt tool

If you want to try it, install 'libguestfs-live-service' in a Fedora
guest, edit the guest XML as per instructions in [2], and on the host
do:

  guestfish --live -d FedoraGuest

and try sending (non-destructive) commands to the guest agent.

Currently guestfsd is a monolithic daemon, so if you choose to run it
in your guest, then it can do pretty much anything in the libguestfs
API, which is a shorthand way of saying it can do pretty much
anything, eg. reading and writing any guest file, executing any
program, creating and deleting guest partitions, creating and deleting
guest LVs ...

The expected scenario is that the guest is controlled by the same
authority as the host, but possibly in future we'll have to find a way
to limit what guestfsd can do (via a configuration file).

The questions are:

(a) Can we meaningfully write an SELinux policy to confine guestfsd?
For example if guestfsd were to be included as a separate package in
RHEL, which it might be for RHEL 6.4.

(b) Can we change the design of guestfsd (within reason) to make it
simpler to write SELinux policy for guestfsd, and if so how?

(c) Is there any sort of privilege separation design that would make
sense here (cf. Privilege-separated OpenSSH).

Rich.

[1] http://libguestfs.org/guestfs.3.html#attaching_to_running_daemons
[2] https://rwmj.wordpress.com/2011/07/06/libguestfs-live/

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org