From nobody Fri May 17 09:38:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1695745692; cv=none; d=zohomail.com; s=zohoarc; b=dBNsaz1YYZnd43GlR1EXSkvTtkI17T7WA+slpQgsNTkOD10Unj8WdOr1b3NUByuNxtaW9rROjH506OEd1Z25h6ghz03FNSD5E7iayldpx3UFtBEiAMWIUqSnL9hkU4es232SaPgWQIPZNPhyybgvRPPa7mVvV6RTtOLHoe/JqWA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1695745692; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=UyP7Zvv4u0jq57axFAGfu4slDwmnd2CknKMJV9rpcxk=; b=XXhKGqdf0ShonxkAzCRj/SZmmZADHFEjvRVeZq3ECTqWqEVDOrW+v0tipabxgHZcDmLq3cHk+P27A6iKhNMGbz/xiL9XnecybBTcg7kkyldPNX1EqWQO3XXzTOoikrjFXY3xZs0kVuojgVexxvUWjrcYDbT1KqC70zXaqOvpeSc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 169574569229540.5687913685872; Tue, 26 Sep 2023 09:28:12 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-96-8x_R4jP9P4qlMzHQ1mOOxw-1; Tue, 26 Sep 2023 12:28:04 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 79D5418153E2; Tue, 26 Sep 2023 16:28:01 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD1E710F1BE9; Tue, 26 Sep 2023 16:28:00 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5972A1946594; Tue, 26 Sep 2023 16:27:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A441D194658C for ; Tue, 26 Sep 2023 16:11:45 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 88F0940C6E77; Tue, 26 Sep 2023 16:11:45 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.42.28.75]) by smtp.corp.redhat.com (Postfix) with ESMTP id 17F8240C6EA8; Tue, 26 Sep 2023 16:11:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695745691; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=UyP7Zvv4u0jq57axFAGfu4slDwmnd2CknKMJV9rpcxk=; b=C4nVp32FzfXPStDl+FGgF3SQ/pXhBrXPi1BUUNPLwNUt1LnVNGKuffhqIIMn/NPPXhPs9T qqkIv7XXNqIHBDHm/Yx/8vVTr3H2+r2mkKOXYhwF36EDU/K9jJz01ZwqSUDs8b1i7OkzkN PrrvgHOuKFrAOZmFXTkudJS307C2gZM= X-MC-Unique: 8x_R4jP9P4qlMzHQ1mOOxw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH] logging: lockdown the systemd service configuration Date: Tue, 26 Sep 2023 17:11:44 +0100 Message-ID: <20230926161144.1049779-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1695745692921100001 The 'systemd-analyze security' command looks at the unit file configuration and reports on any settings which increase the attack surface for the daemon. Since most systemd units are fairly minimalist, this is generally informing us about settings that we never put any thought into using before. In its current configuration it reports # systemd-analyze security virtlogd.service ...snip... =E2=86=92 Overall exposure level for virtlogd.service: 9.6 UNSAFE =F0=9F= =98=A8 which is pretty terrible as a score. If we apply all of the recommendations that appear possible without (knowingly) breaking functionality it reports: # systemd-analyze security virtlogd.service ...snip... =E2=86=92 Overall exposure level for virtlogd.service: 2.2 OK =F0=9F=99= =82 which is a pretty decent improvement. Some of the settings we would like to enable require a systemd version that is newer than that available in our oldest distro target - RHEL-8 at v239. NB, RestrictSUIDSGID is technically newer than 239, but RHEL-8 backported it, and other distros we target have it by default. Remaining recommendations are =E2=9C=97 CapabilityBoundingSet=3D~CAP_(DAC_*|FOWNER|IPC_OWNER) We block FOWNER/IPC_OWNER, but can't block the two DAC capabilities. Historically apps/users might point QEMU to log files in $HOME, pre-created with their own user ID. =E2=9C=97 IPAddressDeny=3D Not required since RestrictAddressFamilies blocks IP usage. Ignoring this avoids the overhead of creating a traffic filter than will never be used. =E2=9C=97 NoNewPrivileges=3D Highly desirable, but cannot enable it yet, because it will block the ability to transition to the virtlogd_t SELinux domain during execve. The SELinux policy needs fixing to permit this transition under NNP first. =E2=9C=97 PrivateTmp=3D There is a decent chance people have VMs configured with a serial port logfile pointing at /tmp. We would cause a regression to use private /tmp for logging =E2=9C=97 PrivateUsers=3D This would put virtlogd inside a user namespace where its root is in fact unprivileged. Same problem as the User=3D setting below =E2=9C=97 ProcSubset=3D Libraries we link to might read certain non-PID related files from /proc =E2=9C=97 ProtectClock=3D Requires v245 =E2=9C=97 ProtectHome=3D Same problem as PrivateTmp=3D. There's a decent chance that someone has a VM configured to write a logfile to /home =E2=9C=97 ProtectHostname=3D Requires v241 =E2=9C=97 ProtectKernelLogs Requires v244 =E2=9C=97 ProtectProc Requires v247 =E2=9C=97 ProtectSystem=3D We only set it to 'full', as 'strict' is not viable for our required usage =E2=9C=97 RootDirectory=3D/RootImage=3D We are not capable of running inside a custom chroot given needs to write log files to arbitrary places =E2=9C=97 RestrictAddressFamilies=3D~AF_UNIX We need AF_UNIX to communicate with other libvirt daemons =E2=9C=97 SystemCallFilter=3D~@resources We link to libvirt.so which links to libnuma.so which has a constructor that calls set_mempolicy. This is highly undesirable todo during a constructor. =E2=9C=97 User=3D/DynamicUser=3D This is highly desirable, but we currently read/write logs as root, and directories we're told to write into could be anywhere. So using a non-root user would have a major risk of regressions for applications and also have upgrade implications Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Michal Privoznik --- src/logging/virtlogd.service.in | 94 +++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service= .in index 8e245ddb43..9e3838ff34 100644 --- a/src/logging/virtlogd.service.in +++ b/src/logging/virtlogd.service.in @@ -20,5 +20,99 @@ OOMScoreAdjust=3D-900 # per systemd recommendations LimitNOFILE=3D1024:524288 =20 +CapabilityBoundingSet=3D~CAP_AUDIT_CONTROL +CapabilityBoundingSet=3D~CAP_AUDIT_READ +CapabilityBoundingSet=3D~CAP_AUDIT_WRITE +CapabilityBoundingSet=3D~CAP_BLOCK_SUSPEND +CapabilityBoundingSet=3D~CAP_CHOWN +# Mgmt app/user might have pre-created log files that we're +# told to open and write to, or be storing them in otherwise +# inaccessible locations like $HOME. So we need to ignore +# DAC permission checks. +#CapabilityBoundingSet=3D~CAP_DAC_OVERRIDE +#CapabilityBoundingSet=3D~CAP_DAC_READ_SEARCH +CapabilityBoundingSet=3D~CAP_FOWNER +CapabilityBoundingSet=3D~CAP_FSETID +CapabilityBoundingSet=3D~CAP_IPC_LOCK +CapabilityBoundingSet=3D~CAP_IPC_OWNER +CapabilityBoundingSet=3D~CAP_KILL +CapabilityBoundingSet=3D~CAP_LEASE +CapabilityBoundingSet=3D~CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=3D~CAP_MAC_ADMIN +CapabilityBoundingSet=3D~CAP_MAC_OVERRIDE +CapabilityBoundingSet=3D~CAP_MKNOD +CapabilityBoundingSet=3D~CAP_NET_ADMIN +CapabilityBoundingSet=3D~CAP_NET_BIND_SERVICE +CapabilityBoundingSet=3D~CAP_NET_BROADCAST +CapabilityBoundingSet=3D~CAP_NET_RAW +CapabilityBoundingSet=3D~CAP_SETFCAP +CapabilityBoundingSet=3D~CAP_SETPCAP +CapabilityBoundingSet=3D~CAP_SETGID +CapabilityBoundingSet=3D~CAP_SETUID +CapabilityBoundingSet=3D~CAP_SYSLOG +CapabilityBoundingSet=3D~CAP_SYS_ADMIN +CapabilityBoundingSet=3D~CAP_SYS_BOOT +CapabilityBoundingSet=3D~CAP_SYS_CHROOT +CapabilityBoundingSet=3D~CAP_SYS_MODULE +CapabilityBoundingSet=3D~CAP_SYS_NICE +CapabilityBoundingSet=3D~CAP_SYS_PACCT +CapabilityBoundingSet=3D~CAP_SYS_PTRACE +CapabilityBoundingSet=3D~CAP_SYS_RAWIO +CapabilityBoundingSet=3D~CAP_SYS_RESOURCE +CapabilityBoundingSet=3D~CAP_SYS_TIME +CapabilityBoundingSet=3D~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=3D~CAP_WAKE_ALARM + +LockPersonality=3Dtrue +MemoryDenyWriteExecute=3Dtrue +# Cannot enable this as it prevents transitioning to +# the confined SELinux virtlogd_t domain on execve +# unless we modify the policy to allow this. +#NoNewPrivileges=3Dtrue +PrivateDevices=3Dtrue +PrivateMounts=3Dtrue +PrivateNetwork=3Dtrue +# XXX someone could configure QEMU to log a serial port to an +# arbitrary directory, including /tmp, even if this is ill-advised +#PrivateTmp=3Dtrue +# Not until oldest build target has systemd >=3D v245 +#ProtectClock=3Dtrue +ProtectControlGroups=3Dtrue +# Not until oldest build target has systemd >=3D v241 +#ProtectHostname=3Dtrue +# Not until oldest build target has systemd >=3D v244 +#ProtectKernelLogs=3Dtrue +ProtectKernelModules=3Dtrue +ProtectKernelTunables=3Dtrue +# Not until oldest build target has systemd >=3D v247 +#ProtectProc=3Dinvisible +ProtectSystem=3Dfull +RestrictAddressFamilies=3DAF_UNIX +RestrictNamespaces=3D~cgroup +RestrictNamespaces=3D~ipc +RestrictNamespaces=3D~mnt +RestrictNamespaces=3D~net +RestrictNamespaces=3D~pid +RestrictNamespaces=3D~user +RestrictNamespaces=3D~uts +RestrictRealtime=3Dtrue +RestrictSUIDSGID=3Dtrue +SystemCallArchitectures=3Dnative +SystemCallFilter=3D~@clock +SystemCallFilter=3D~@debug +SystemCallFilter=3D~@module +SystemCallFilter=3D~@mount +SystemCallFilter=3D~@raw-io +SystemCallFilter=3D~@reboot +SystemCallFilter=3D~@swap +SystemCallFilter=3D~@privileged +# Unfortunately we link to libnuma via libvirt.so which +# has a constructor that runs unconditionally that invokes +# set_mempolicy() +#SystemCallFilter=3D~@resources +SystemCallFilter=3D~@cpu-emulation +SystemCallFilter=3D~@obsolete +UMask=3D077 + [Install] Also=3Dvirtlogd.socket --=20 2.41.0