Libguestfs - Mar 2017 - [PATCH] lib: libvirt: If root, run qemu as root.root.

Previously we had assumed that when running as root, libvirt would
always run qemu as a non-root user (eg. qemu.qemu), unless you modify
a global configuration file (/etc/libvirt/qemu.conf).

It turns out there is a little-known feature to make libvirt run qemu
as root without modifying any configuration files.  We have to add a
<seclabel/> element to the appliance XML:

  <seclabel type='static' model='dac'
relabel='no'>
    <label>root:root</label>
  </seclabel>

For further information see:

  https://libvirt.org/formatdomain.html#seclabel

This change adds the required <seclabel/> element when running as
root, and also removes the code which changed the owner of the console
and daemon sockets, as that is no longer required.

Thanks: Peter Krempa, Pino Toscano, Dan Berrange.
---
 lib/launch-libvirt.c | 60 +++++++++++-----------------------------------------
 1 file changed, 12 insertions(+), 48 deletions(-)

diff --git a/lib/launch-libvirt.c b/lib/launch-libvirt.c
index 168bba6..81cdead 100644
--- a/lib/launch-libvirt.c
+++ b/lib/launch-libvirt.c
@@ -523,53 +523,6 @@ launch_libvirt (guestfs_h *g, void *datav, const char
*libvirt_uri)
 
   clear_socket_create_context (g);
 
-  /* libvirt, if running as root, will run the qemu process as
-   * qemu.qemu, which means it won't be able to access the socket.
-   * There are roughly three things that get in the way:
-   *
-   * (1) Permissions of the socket.
-   *
-   * (2) Permissions of the parent directory(-ies).  Remember this if
-   *     $TMPDIR is located in your home directory.
-   *
-   * (3) SELinux/sVirt will prevent access.  libvirt ought to label
-   *     the socket.
-   *
-   * Note that the 'current_proc_is_root' flag here just means that we
-   * are root.  It's also possible for non-root user to try to use the
-   * system libvirtd by specifying a qemu:///system URI (RHBZ#913774)
-   * but there's no sane way to test for that.
-   */
-  if (params.current_proc_is_root) {
-    /* Current process is root, so try to create sockets that are
-     * owned by root.qemu with mode 0660 and hence accessible to qemu.
-     */
-    struct group *grp;
-
-    if (chmod (data->guestfsd_path, 0660) == -1) {
-      perrorf (g, "chmod: %s", data->guestfsd_path);
-      goto cleanup;
-    }
-
-    if (chmod (data->console_path, 0660) == -1) {
-      perrorf (g, "chmod: %s", data->console_path);
-      goto cleanup;
-    }
-
-    grp = getgrnam ("qemu");
-    if (grp != NULL) {
-      if (chown (data->guestfsd_path, 0, grp->gr_gid) == -1) {
-        perrorf (g, "chown: %s", data->guestfsd_path);
-        goto cleanup;
-      }
-      if (chown (data->console_path, 0, grp->gr_gid) == -1) {
-        perrorf (g, "chown: %s", data->console_path);
-        goto cleanup;
-      }
-    } else
-      debug (g, "cannot find group 'qemu'");
-  }
-
   /* Store any secrets in libvirtd, keeping a mapping from the secret
    * to its UUID.
    */
@@ -1256,7 +1209,18 @@ construct_libvirt_xml_seclabel (guestfs_h *g,
                                 const struct libvirt_xml_params *params,
                                 xmlTextWriterPtr xo)
 {
-  if (!params->enable_svirt) {
+  if (params->current_proc_is_root) {
+    /* Force libvirt to run qemu as root.root. */
+    start_element ("seclabel") {
+      attribute ("type", "static");
+      attribute ("model", "dac");
+      attribute ("relabel", "no");
+      start_element ("label") {
+        string ("root:root");
+      } end_element ();
+    } end_element ();
+  }
+  else if (!params->enable_svirt) {
     /* This disables SELinux/sVirt confinement. */
     start_element ("seclabel") {
       attribute ("type", "none");
-- 
2.10.2

On Tue, Mar 14, 2017 at 01:50:58PM +0000, Richard W.M. Jones
wrote:
> Previously we had assumed that when running as root, libvirt would
> always run qemu as a non-root user (eg. qemu.qemu), unless you modify
> a global configuration file (/etc/libvirt/qemu.conf).
> 
> It turns out there is a little-known feature to make libvirt run qemu
> as root without modifying any configuration files.  We have to add a
> <seclabel/> element to the appliance XML:
> 
>   <seclabel type='static' model='dac'
relabel='no'>
>     <label>root:root</label>
>   </seclabel>
There is a hidden problem with this patch which was discussed on IRC:

Libvirt drops all capabilities from the qemu process before running it
as root.  This means that although it runs as the root user, it cannot
do usual root-like things.  In particular it cannot access files as
the root owner (it will access them as if "other", so a file with mode
0644 for example can only be opened for reading).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v