From nobody Fri Apr 26 18:36:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1548948415653443.191959804484; Thu, 31 Jan 2019 07:26:55 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 16DFC45F86; Thu, 31 Jan 2019 15:26:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B83DC16D5C; Thu, 31 Jan 2019 15:26:52 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1FF9F180339F; Thu, 31 Jan 2019 15:26:52 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0VFQWnv005534 for ; Thu, 31 Jan 2019 10:26:32 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3C09B194B6; Thu, 31 Jan 2019 15:26:32 +0000 (UTC) Received: from beluga.usersys.redhat.com (unknown [10.43.2.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8C08C19492; Thu, 31 Jan 2019 15:26:31 +0000 (UTC) From: Erik Skultety To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 16:26:14 +0100 Message-Id: <7c54a4e211d2b1dc30f3fb5194bce73879c64b04.1548948096.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 1/5] qemu: conf: Remove /dev/sev from the default cgroup device acl list X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 31 Jan 2019 15:26:54 +0000 (UTC) Content-Type: text/plain; charset="utf-8" We should not give domains access to something they don't necessarily need by default. Remove it from the qemu driver docs too. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- docs/drvqemu.html.in | 2 +- src/qemu/qemu.conf | 2 +- src/qemu/qemu_cgroup.c | 2 +- src/qemu/test_libvirtd_qemu.aug.in | 1 - 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/drvqemu.html.in b/docs/drvqemu.html.in index bf60a9144b..5ad956740f 100644 --- a/docs/drvqemu.html.in +++ b/docs/drvqemu.html.in @@ -396,7 +396,7 @@ chmod o+x /path/to/directory /dev/null, /dev/full, /dev/zero, /dev/random, /dev/urandom, /dev/ptmx, /dev/kvm, /dev/kqemu, -/dev/rtc, /dev/hpet, /dev/sev +/dev/rtc, /dev/hpet =20

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index c1f1201134..7820e72dd8 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -490,7 +490,7 @@ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", -# "/dev/rtc","/dev/hpet", "/dev/sev" +# "/dev/rtc","/dev/hpet" #] # # RDMA migration requires the following extra files to be added to the lis= t: diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 9ceecb884e..7b7cd4258b 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -46,7 +46,7 @@ const char *const defaultDeviceACL[] =3D { "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", - "/dev/rtc", "/dev/hpet", "/dev/sev", + "/dev/rtc", "/dev/hpet", NULL, }; #define DEVICE_PTY_MAJOR 136 diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 4235464530..51a7ad5892 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -63,7 +63,6 @@ module Test_libvirtd_qemu =3D { "8" =3D "/dev/kqemu" } { "9" =3D "/dev/rtc" } { "10" =3D "/dev/hpet" } - { "11" =3D "/dev/sev" } } { "save_image_format" =3D "raw" } { "dump_image_format" =3D "raw" } --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 18:36:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1548948437608688.2100735966584; Thu, 31 Jan 2019 07:27:17 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 28B4FD2EEA; Thu, 31 Jan 2019 15:27:00 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BF33654504; Thu, 31 Jan 2019 15:26:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 51EE33F603; Thu, 31 Jan 2019 15:26:59 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0VFQXni005544 for ; Thu, 31 Jan 2019 10:26:33 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3AFE119492; Thu, 31 Jan 2019 15:26:33 +0000 (UTC) Received: from beluga.usersys.redhat.com (unknown [10.43.2.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8DC4D16E4E; Thu, 31 Jan 2019 15:26:32 +0000 (UTC) From: Erik Skultety To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 16:26:15 +0100 Message-Id: <4a60a955a4dba12852e497a7dff76adb24e082c4.1548948096.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 2/5] qemu: cgroup: Expose /dev/sev/ only to domains that require SEV X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 31 Jan 2019 15:27:01 +0000 (UTC) Content-Type: text/plain; charset="utf-8" SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_cgroup.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7b7cd4258b..e88cb8c45f 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm, } =20 =20 +static int +qemuSetupSEVCgroup(virDomainObjPtr vm) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + int ret; + + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) + return 0; + + ret =3D virCgroupAllowDevicePath(priv->cgroup, "/dev/sev", + VIR_CGROUP_DEVICE_RW, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev", + "rw", ret); + return ret; +} + static int qemuSetupDevicesCgroup(virDomainObjPtr vm) { @@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm) goto cleanup; } =20 + if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0) + goto cleanup; + ret =3D 0; cleanup: virObjectUnref(cfg); --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 18:36:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1548948403130197.0790615883734; Thu, 31 Jan 2019 07:26:43 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 98E9BA4035; Thu, 31 Jan 2019 15:26:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EBE9A53785; Thu, 31 Jan 2019 15:26:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DD8823F774; Thu, 31 Jan 2019 15:26:37 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0VFQY09005549 for ; Thu, 31 Jan 2019 10:26:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3DFAB1A7CE; Thu, 31 Jan 2019 15:26:34 +0000 (UTC) Received: from beluga.usersys.redhat.com (unknown [10.43.2.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8991919492; Thu, 31 Jan 2019 15:26:33 +0000 (UTC) From: Erik Skultety To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 16:26:16 +0100 Message-Id: <579c28bc42c18a43cafbb82eae0919a6bab446d3.1548948096.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 3/5] qemu: domain: Add /dev/sev into the domain mount namespace selectively X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 31 Jan 2019 15:26:41 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Instead of exposing /dev/sev to every domain, do it selectively. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_domain.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 5bfe4fe14e..f02c45535a 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -116,6 +116,7 @@ VIR_ENUM_IMPL(qemuDomainNamespace, QEMU_DOMAIN_NS_LAST, #define DEVPREFIX "/dev/" #define DEV_VFIO "/dev/vfio/vfio" #define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control" +#define DEV_SEV "/dev/sev" =20 =20 struct _qemuDomainLogContext { @@ -12200,6 +12201,26 @@ qemuDomainSetupLoader(virQEMUDriverConfigPtr cfg A= TTRIBUTE_UNUSED, } =20 =20 +static int +qemuDomainSetupLaunchSecurity(virQEMUDriverConfigPtr cfg ATTRIBUTE_UNUSED, + virDomainObjPtr vm, + const struct qemuDomainCreateDeviceData *dat= a) +{ + virDomainSEVDefPtr sev =3D vm->def->sev; + + if (!sev || sev->sectype !=3D VIR_DOMAIN_LAUNCH_SECURITY_SEV) + return 0; + + VIR_DEBUG("Setting up launch security"); + + if (qemuDomainCreateDevice(DEV_SEV, data, false) < 0) + return -1; + + VIR_DEBUG("Set up launch security"); + return 0; +} + + int qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg, virSecurityManagerPtr mgr, @@ -12271,6 +12292,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg, if (qemuDomainSetupLoader(cfg, vm, &data) < 0) goto cleanup; =20 + if (qemuDomainSetupLaunchSecurity(cfg, vm, &data) < 0) + goto cleanup; + /* Save some mount points because we want to share them with the host = */ for (i =3D 0; i < ndevMountsPath; i++) { struct stat sb; --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 18:36:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1548948430617943.2949712288231; Thu, 31 Jan 2019 07:27:10 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D8F9DA7EF; Thu, 31 Jan 2019 15:27:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6E2835D982; Thu, 31 Jan 2019 15:27:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 024BA18033A2; Thu, 31 Jan 2019 15:27:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0VFQZbg005555 for ; Thu, 31 Jan 2019 10:26:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id 37B4C16D5C; Thu, 31 Jan 2019 15:26:35 +0000 (UTC) Received: from beluga.usersys.redhat.com (unknown [10.43.2.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8B56B19492; Thu, 31 Jan 2019 15:26:34 +0000 (UTC) From: Erik Skultety To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 16:26:17 +0100 Message-Id: <4f764eae6dd14a3db50b1c30a4658ab475528a8e.1548948096.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 4/5] security: dac: Relabel /dev/sev in the namespace X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 31 Jan 2019 15:27:08 +0000 (UTC) Content-Type: text/plain; charset="utf-8" The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- src/security/security_dac.c | 51 +++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 9f73114631..6f8ca8cd54 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -48,6 +48,7 @@ VIR_LOG_INIT("security.security_dac"); =20 #define SECURITY_DAC_NAME "dac" +#define DEV_SEV "/dev/sev" =20 typedef struct _virSecurityDACData virSecurityDACData; typedef virSecurityDACData *virSecurityDACDataPtr; @@ -1676,6 +1677,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerP= tr mgr, } =20 =20 +static int +virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED) +{ + /* we only label /dev/sev when running with namespaces, so we don't ne= ed to + * restore anything */ + return 0; +} + + static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1746,6 +1757,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr = mgr, rc =3D -1; } =20 + if (def->sev) { + if (virSecurityDACRestoreSEVLabel(mgr, def) < 0) + rc =3D -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc =3D -1; @@ -1819,6 +1835,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr m= gr, } =20 =20 +static int +virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + /* Skip chowning /dev/sev if namespaces are disabled as we'd significa= ntly + * increase the chance of a DOS attack on SEV + */ + if (!priv->mountNamespace) + return 0; + + seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < = 0) + return -1; + + if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV, + user, group, false) < 0) + return -1; + + return 0; +} + + static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1888,6 +1934,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } =20 + if (def->sev) { + if (virSecurityDACSetSEVLabel(mgr, def) < 0) + return -1; + } + if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1; =20 --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 18:36:47 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 154894843522449.17762093746251; Thu, 31 Jan 2019 07:27:15 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 041D68050D; Thu, 31 Jan 2019 15:27:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9D0175D982; Thu, 31 Jan 2019 15:27:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 36A6E3F602; Thu, 31 Jan 2019 15:27:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x0VFQa4e005567 for ; Thu, 31 Jan 2019 10:26:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3646519492; Thu, 31 Jan 2019 15:26:36 +0000 (UTC) Received: from beluga.usersys.redhat.com (unknown [10.43.2.166]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8714B16D5C; Thu, 31 Jan 2019 15:26:35 +0000 (UTC) From: Erik Skultety To: libvir-list@redhat.com Date: Thu, 31 Jan 2019 16:26:18 +0100 Message-Id: <6acde6faba93fd1d12581c984e0f846c78969eb0.1548948096.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 5/5] qemu: caps: Use CAP_DAC_OVERRIDE for probing to avoid permission issues X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 31 Jan 2019 15:27:14 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This is mainly about /dev/sev and its default permissions 0600. Of course, rule of 'tinfoil' would be that we can't trust anything, but the probing code in QEMU is considered safe from security's perspective + we can't create an udev rule for this at the moment, because ioctls and filesystem permisions are cross checked in kernel and therefore a user with read permisions could issue a 'privileged' operation on SEV which is currently only limited to root. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- src/qemu/qemu_capabilities.c | 11 +++++++++++ src/util/virutil.c | 31 +++++++++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 5cf4b617c6..2e84c965e8 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -53,6 +53,10 @@ #include #include =20 +#if WITH_CAPNG +# include +#endif + #define VIR_FROM_THIS VIR_FROM_QEMU =20 VIR_LOG_INIT("qemu.qemu_capabilities"); @@ -4515,6 +4519,13 @@ virQEMUCapsInitQMPCommandRun(virQEMUCapsInitQMPComma= ndPtr cmd, NULL); virCommandAddEnvPassCommon(cmd->cmd); virCommandClearCaps(cmd->cmd); + +#if WITH_CAPNG + /* QEMU might run into permission issues, e.g. /dev/sev (0600), overri= de + * them just for the purpose of probing */ + virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE); +#endif + virCommandSetGID(cmd->cmd, cmd->runGid); virCommandSetUID(cmd->cmd, cmd->runUid); =20 diff --git a/src/util/virutil.c b/src/util/virutil.c index 5251b66454..02de92061c 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -1502,8 +1502,10 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *gr= oups, int ngroups, { size_t i; int capng_ret, ret =3D -1; - bool need_setgid =3D false, need_setuid =3D false; + bool need_setgid =3D false; + bool need_setuid =3D false; bool need_setpcap =3D false; + const char *capstr =3D NULL; =20 /* First drop all caps (unless the requested uid is "unchanged" or * root and clearExistingCaps wasn't requested), then add back @@ -1512,14 +1514,18 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *g= roups, int ngroups, */ =20 if (clearExistingCaps || (uid !=3D (uid_t)-1 && uid !=3D 0)) - capng_clear(CAPNG_SELECT_BOTH); + capng_clear(CAPNG_SELECT_BOTH); =20 for (i =3D 0; i <=3D CAP_LAST_CAP; i++) { + capstr =3D capng_capability_to_name(i); + if (capBits & (1ULL << i)) { capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_INHERITABLE| CAPNG_PERMITTED|CAPNG_BOUNDING_SET, i); + + VIR_DEBUG("Added '%s' to child capabilities' set", capstr); } } =20 @@ -1579,6 +1585,27 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, gid_t *gr= oups, int ngroups, goto cleanup; } =20 +# ifdef PR_CAP_AMBIENT + /* we couldn't do this in the loop earlier above, because the capabili= ties + * were not applied yet, since in order to add a capability into the A= MBIENT + * set, it has to be present in both the PERMITTED and INHERITABLE sets + * (capabilities(7)) + */ + for (i =3D 0; i <=3D CAP_LAST_CAP; i++) { + capstr =3D capng_capability_to_name(i); + + if (capBits & (1ULL << i)) { + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0) { + virReportSystemError(errno, + _("prctl failed to enable '%s' in the= " + "AMBIENT set"), + capstr); + goto cleanup; + } + } + } +# endif + /* Set bounding set while we have CAP_SETPCAP. Unfortunately we cannot * do this if we failed to get the capability above, so ignore the * return value. --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list