[Bug 522845] Re: compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor

Jamie Strandboge jamie at ubuntu.com
Thu Feb 18 17:46:50 GMT 2010 

** Description changed:

  libvirt in 10.04 is now compiled with libcap-ng. According to http://libvirt.org/drvqemu.html#securitycap this will affect QEMU/KVM access to files if libvirt is configured to launch VMs as root (the default in Ubuntu, see bug #522619 for why). From the libvirt.org page:
  "The Linux capability feature is thus aimed primarily at the scenario where the QEMU processes are running as root. In this case, before launching a QEMU virtual machine, libvirtd will use libcap-ng APIs to drop all process capabilities. It is important for administrators to note that this implies the QEMU process will only be able to access files owned by root, and not files owned by any other user."
  
  As it happens, the AppArmor security driver (which is enabled by
  default) disallows the SETPCAP capability, which is needed to drop these
- capabilities. As such, these capabilties is not dropped and libvirt
+ capabilities. As such, these capabilties are not dropped and libvirt
  behaves in much the same way as it would without being compiled with
  libcap-ng, like in previous releases of Ubuntu (this is not a security
  issue because the VM is confined by a restrictive AppArmor profile).
- This means that accesses VMs in $HOME still work.
+ This means that accessing VMs in $HOME still work.
  
  However (and this is where the potential problem is) if someone disables the AppArmor security driver or adds this capability to the AppArmor profile, then SETPCAP is available and any VMs that need access to disk files, etc not owned by root will break with the following in /var/log/libvirt/qemu/<machine>.log:
  qemu: could not open disk image /home/.../disk0.qcow2: Permission denied
  
  This could be a serious regression for people using QEMU/KVM without
  AppArmor.
  
  ProblemType: Bug
  Architecture: i386
  Date: Tue Feb 16 14:30:49 2010
  DistroRelease: Ubuntu 10.04
  InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130)
  Package: libvirt-bin 0.7.5-5ubuntu7
  ProcEnviron:
-  PATH=(custom, user)
-  LANG=en_US.utf8
-  SHELL=/bin/bash
+  PATH=(custom, user)
+  LANG=en_US.utf8
+  SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 2.6.32-13.18-generic
  SourcePackage: libvirt
  Uname: Linux 2.6.32-13-generic i686

-- 
compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
https://bugs.launchpad.net/bugs/522845
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

More information about the Ubuntu-server-bugs mailing list