Libguestfs - Mar 2022 - [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory

For fuller explanation see:
https://bugzilla.redhat.com/show_bug.cgi?id=2066773#c1

I'm not very happy with this patch for a few reasons:

 - Does every distro use "qemu" as the user that runs qemu?

 - Having to run an external process (not a big deal, but a bit clumsy)

 - Aren't ACLs actually deprecated?

Anyway the patch does at least work in my local testing.

Rich.

When using the libvirt backend and running as root, libvirt will run
qemu as a non-root user (eg. qemu:qemu).  The v2v directory stores NBD
endpoints that qemu must be able to open and so we set the directory
to mode 0711.  Unfortunately this permits any non-root user to open
the sockets (since, by design, they have predictable names within the
directory).

So instead of using directory permissions, use an ACL which allows us
to precisely give access to the qemu user and no one else.

Reported-by: Xiaodai Wang
Thanks: Dr David Gilbert
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2066773
---
 lib/utils.ml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/utils.ml b/lib/utils.ml
index 757bc73c8e..5623250832 100644
--- a/lib/utils.ml
+++ b/lib/utils.ml
@@ -158,8 +158,12 @@ let error_if_no_ssh_agent ()  (* Create the directory
containing inX and outX sockets. *)
 let create_v2v_directory ()    let d = Mkdtemp.temp_dir "v2v." in
+  (* If running as root, and if the backend is libvirt, libvirt
+   * will run qemu as a non-root user.  Allow qemu to open the directory.
+   *)
   let running_as_root = Unix.geteuid () = 0 in
-  if running_as_root then Unix.chmod d 0o711;
+  if running_as_root && backend_is_libvirt () then
+    ignore (Sys.command (sprintf "setfacl -m user:qemu:rwx %s" (quote
d)));
   On_exit.rmdir d;
   d
 
-- 
2.35.1

On Tue, Mar 22, 2022 at 02:35:54PM +0000, Richard W.M. Jones
wrote:
> For fuller explanation see:
> https://bugzilla.redhat.com/show_bug.cgi?id=2066773#c1
> 
> I'm not very happy with this patch for a few reasons:
> 
>  - Does every distro use "qemu" as the user that runs qemu?
Not sure, but you can query this from libvirt

# virsh capabilities  | xmllint -xpath
'//secmodel[./model="dac"]/baselabel[@type="kvm"]' 
-
<baselabel type="kvm">+107:+107</baselabel>

The base level here is the label that any files must have in order
to be writable by QEMU, using a default process label.

In the case of the 'dac' model this is a UID:GID pair (+ indicates
numeric ID, as opposed to a username with all numbers).

NB, this doesn't apply if you're overriding the default label to
use a distinct UID per VM, but I assume v2v isn't doing that and
controls its own VMs
>  - Having to run an external process (not a big deal, but a bit clumsy)
In theory libacl gives you programmatic API for this.
>  - Aren't ACLs actually deprecated?
Not that I know of.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|