From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH] [RFC] run QEMU as non-root
Date: Fri, 15 May 2015 10:25:49 +0100
Message-ID: <1431681949.8943.34.camel@citrix.com>
References: <1431625956-4323-1-git-send-email-stefano.stabellini@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1431625956-4323-1-git-send-email-stefano.stabellini@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: wei.liu2@citrix.com, xen-devel@lists.xensource.com, ian.jackson@eu.citrix.com
List-Id: xen-devel@lists.xenproject.org

On Thu, 2015-05-14 at 18:52 +0100, Stefano Stabellini wrote:
> Run QEMU as non-root. Starting from uid 6000, the chosen uid is
> base+domid. If the uid doesn't exist, try just 6000. This is less
> secure: ideally we don't want different domains having their QEMUs
> running with the same uid. Finally if uid 6000 doesn't exist either,
> fall back to running QEMU as root.

We can't just pick a random number like that, especially not hardcoded.

You should call getpwent_r.

IIRC what was suggested yesterday IRL was to look for, in order, users
named (prefixes TBD):

        xen-qemudepriv-$domname
        xen-qemudepriv-base (+domid)
        xen-qemudepriv-shared (all qemu in same non-root uid)

If none of those are present then the qemu should not be deprivileged.
There should probably be a nob to fiddle to allow the fallback to be to
fail to create the domain.

Then the admin/postinst can do as they prefer:

        adduser --system xen-qemudepriv-mysecuredomain
        
        for i in '' $(seq 1 65335) ; do
              adduser --system xen-qemudepriv-base$i
        done
        
        adduser --system xen-qemudepriv-shared

(and can combine the first with either the second or third as they
desire)

There needs to be a documentation update associated with this.

> The uids need to be manually created by the user or, more likely, by the
> xen package maintainer.
> 
> To actually secure QEMU when running in Dom0, we need at least to
> deprivilege the privcmd and xenstore interfaces, this is just the first
> step in that direction.
> 
> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> ---
>  tools/libxl/libxl_dm.c       |   17 +++++++++++++++++
>  tools/libxl/libxl_internal.h |    2 ++
>  2 files changed, 19 insertions(+)
> 
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index 0c6408d..942c5df 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -19,6 +19,8 @@
>  
>  #include "libxl_internal.h"
>  #include <xen/hvm/e820.h>
> +#include <sys/types.h>
> +#include <pwd.h>
>  
>  static const char *libxl_tapif_script(libxl__gc *gc)
>  {
> @@ -439,6 +441,7 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
>      int i, connection, devid;
>      uint64_t ram_size;
>      const char *path, *chardev;
> +    struct passwd *user = NULL;
>  
>      dm_args = flexarray_make(gc, 16, 1);
>  
> @@ -878,6 +881,20 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
>          default:
>              break;
>          }
> +
> +        user = getpwuid(LIBXL_QEMU_BASE_UID + guest_domid);
> +        if (user == NULL) {
> +            LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "Could not find uid %d, falling back to %d\n",
> +                    LIBXL_QEMU_BASE_UID + guest_domid, LIBXL_QEMU_BASE_UID);

LOG(WARNING, "Could not..")

And *LOG* appends \n itself.

> +            user = getpwuid(LIBXL_QEMU_BASE_UID);
> +            if (user == NULL)
> +                LIBXL__LOG(ctx, LIBXL__LOG_WARNING, "Could not find uid %d, starting QEMU as root\n",
> +                    LIBXL_QEMU_BASE_UID);
> +        }
> +        if (user) {
> +            flexarray_append(dm_args, "-runas");
> +            flexarray_append(dm_args, user->pw_name);
> +        }
>      }
>      flexarray_append(dm_args, NULL);
>      return (char **) flexarray_contents(dm_args);
> diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
> index 8eb38aa..065ff98 100644
> --- a/tools/libxl/libxl_internal.h
> +++ b/tools/libxl/libxl_internal.h
> @@ -3692,6 +3692,8 @@ static inline void libxl__update_config_vtpm(libxl__gc *gc,
>   */
>  void libxl__bitmap_copy_best_effort(libxl__gc *gc, libxl_bitmap *dptr,
>                                      const libxl_bitmap *sptr);
> +
> +#define LIBXL_QEMU_BASE_UID (6000)
>  #endif
>  
>  /*