[Bug 103010] Re: qemu no tun/tap networking

Kees Cook kees at ubuntu.com
Tue Mar 9 16:54:17 GMT 2010

@Chris Yup, I understand how capabilities work.  I'm actively working on
getting fscaps functioning with Debian/Ubuntu packaging (see
https://wiki.ubuntu.com/Security/FilesystemCapabilties).  (You seemed to
miss me changing "ep" to "ei" in the wiki -- I've added the old
instructions back and clarified the procedure.)

Just because qemu claims to only work on tun/tap devices doesn't mean it
can't be subverted into working on arbitrary network devices.  In a
perfect world, upstream qemu will create a helper tool that is uses
fscaps, etc, and correctly manages the tun/tap devices before launching
qemu itself.  That reduces the exposure of CAP_NET_ADMIN and makes for a
more auditable chunk of code.

I'll leave it up to the qemu maintainer in Ubuntu how to handle these
things, but I just wanted to confirm that arbitrarily giving everyone
CAP_NET_ADMIN (or being setuid root) via qemu was not preferred.  If
it's done via file permissions and a qemu-runners group, plus fscaps
=ep, or done via fscaps =ei and select users are given =i via pam_cap, I
don't much care.  :)

Regardless, fscaps are not supported in Debian/Ubuntu packaging (which I
very much want to fix), so this is all a non-issue until that is solved.
In the meantime, I feel it is my responsibility to provide as safe a set
of instructions that accomplishes the goal of accessing the tun/tap

qemu no tun/tap networking
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to qemu-kvm in ubuntu.

More information about the Ubuntu-server-bugs mailing list