compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
libvirt in 10.04 is now compiled with libcap-ng. According to http://
"The Linux capability feature is thus aimed primarily at the scenario where the QEMU processes are running as root. In this case, before launching a QEMU virtual machine, libvirtd will use libcap-ng APIs to drop all process capabilities. It is important for administrators to note that this implies the QEMU process will only be able to access files owned by root, and not files owned by any other user."
As it happens, the AppArmor security driver (which is enabled by default) disallows the SETPCAP capability, which is needed to drop these capabilities. As such, these capabilties are not dropped and libvirt behaves in much the same way as it would without being compiled with libcap-ng, like in previous releases of Ubuntu (this is not a security issue because the VM is confined by a restrictive AppArmor profile). This means that accessing VMs in $HOME still work.
However (and this is where the potential problem is) if someone disables the AppArmor security driver or adds this capability to the AppArmor profile, then SETPCAP is available and any VMs that need access to disk files, etc not owned by root will break with the following in /var/log/
qemu: could not open disk image /home/.
This could be a serious regression for people using QEMU/KVM without AppArmor.
ProblemType: Bug
Architecture: i386
Date: Tue Feb 16 14:30:49 2010
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130)
Package: libvirt-bin 0.7.5-5ubuntu7
ProcEnviron:
PATH=(custom, user)
LANG=en_US.utf8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: libvirt
Uname: Linux 2.6.32-13-generic i686
Related branches
summary: |
compiling with libcap-ng disallows qemu/kvm access to files not owned by - root + root when not using AppArmor |
Changed in libvirt (Ubuntu): | |
importance: | Undecided → High |
description: | updated |
tags: | added: fixed-in-0.7.7 |
This bug was fixed in the package libvirt - 0.8.1-2ubuntu1
---------------
libvirt (0.8.1-2ubuntu1) maverick; urgency=low
* Merge from debian unstable. Remaining changes: libvirt- bin.postinst: libvirt- bin.postrm: README. Debian: add AppArmor section based on the upstream INSTALLINIT_ ARGS for upstart CHECK_TARGET := check libvirt- bin.upstart libvirt- bin.dirs: add /etc/apparmor. d/abstractions, etc/apparmor. d/disable, /etc/apparmor. d/force- complain, etc/apparmor. d/libvirt, /etc/cron.daily and usr/share/ apport/ package- hooks libvirt- bin.cron. daily libvirt- bin.apport libvirt- bin.install: install apparmor profiles, abstractions libvirt. virt-aa- helper patches/ series: disable- network. diff.patch nc-on-EOF. patch. Use
9010-autodetec t-nc-params. patch instead iff_up_ bridge. patch (refreshed) clobber_ existing_ bridges. patch default_ uri_virsh. patch (updated) default- arch.patch group-name. patch unix-socket- timeout. patch (refreshed) config- test-case. patch (updated) daemon- conf-ftbfs. patch (rewritten) as-root- by-default. patch (refreshed) -nc-params. patch (refreshed, formerly 9015) disable- ipv6.patch (updated) libvirt- bin.postinst: virt-aa-helper profile migration to usr/lib/ libvirt libvirt- bin.preinst: added to force complain on certain base-16- for-product- vendor. patch logoutput- timeout. patch ftbfs.. .
- Fixes:
LP: #522845
LP: #553737
LP: #520386
- debian/control:
+ Build-Depends on qemu-kvm, not qemu
+ Build-Depends on open-iscsi-utils, not open-iscsi
+ Build-Depends on libxml2-utils
+ Build-Depends on libapparmor-dev and Suggests apparmor
+ Bump bridge-utils, dnsmasq-base, netcat-openbsd, and iptables
to Depends of libvirt-bin
+ Drop qemu-kvm and qemu to Suggests
+ We call libxen-dev libxen3-dev, so change all references
+ Rename Vcs-* to XS-Debian-Vcs-*
- debian/
+ rename the libvirt group to libvirtd
+ add each admin user to the libvirtd group
+ reload apparmor profiles
- debian/
+ rename the libvirt group to libvirtd
+ remove apparmor symlinks on purge
- debian/
documentation
- debian/rules:
+ update DEB_DH_
+ add DEB_MAKE_
+ use --with-apparmor
+ copy apparmor and apport hook to debian/tmp
- add debian/
- debian/
/
/
/
- add debian/
- add debian/
- debian/
and apport hook
- debian/apparmor:
- add TEMPLATE
- add libvirt-qemu abstraction
- add usr.lib.
- add usr.sbin.libvirtd
- debian/
+ don't apply 0002-qemu-
+ don't apply 0005-Terminate-
+ 9000-delayed_
+ 9001-dont_
+ 9002-better_
+ 9004-better-
+ 9005-libvirtd-
+ 9006-increase-
+ 9007-default-
+ 9008-fix-
+ 9009-run-
+ 9010-autodetect
+ 9011-dont-
* Dropped following packaging changes, no longer required with upgrades
from Lucid:
- debian/control:
+ versioned Conflicts/Replaces to libvirt0 for libvirt0-dbg
+ remove Build-Depends on libcap-ng-dev
- debian/
/
- debian/
upgrades
* Dropped the following patches, included upstream:
- 0010-Use-
- 9003-increase-
- 9010-apparmor-