[PATCH v2] run QEMU as non-root

[PATCH v2] run QEMU as non-root

[Stefano Stabellini]

Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
domid, finally "xen-qemudepriv-shared" and root if everything else fails.

The uids need to be manually created by the user or, more likely, by the
xen package maintainer.

To actually secure QEMU when running in Dom0, we need at least to
deprivilege the privcmd and xenstore interfaces, this is just the first
step in that direction.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
 docs/misc/qemu-deprivilege   |   34 +++++++++++++++++++++++++++++++++
 tools/libxl/libxl_dm.c       |   43 ++++++++++++++++++++++++++++++++++++++++++
 tools/libxl/libxl_internal.h |    4 ++++
 3 files changed, 81 insertions(+)
 create mode 100644 docs/misc/qemu-deprivilege

diff --git a/docs/misc/qemu-deprivilege b/docs/misc/qemu-deprivilege
new file mode 100644
index 0000000..761dca2
--- /dev/null
+++ b/docs/misc/qemu-deprivilege
@@ -0,0 +1,34 @@
+For security reasons, libxl tries to create QEMU as non-root.
+Libxl looks for the following users in this order:
+
+1) a user named "xen-qemudepriv-$domname"
+Where $domname is the name of the domain being created.
+To use this, you just need to create a user with the appropriate name
+for each domain. For example, if your virtual machine is named "windows":
+
+adduser --system xen-qemudepriv-windows
+
+
+2) a user named "xen-qemudepriv-base", adding domid to its uid
+If xen-qemudepriv-base has uid 6000, and the domid is 25, libxl will try
+to use uid 6025. To use this mechanism, you might want to create a large
+number of users at installation time. For example:
+
+adduser --system xen-qemudepriv-base
+for i in '' $(seq 1 65335)
+do
+    adduser --system xen-qemudepriv-base$i
+done
+
+
+3) a user named "xen-qemudepriv-shared"
+As a fall back if both 1) and 2) fail, libxl will use a single user for
+all QEMU instances. The user is named xen-qemudepriv-shared. This is
+less secure but still better than running QEMU as root. Using this is as
+simple as creating just one more user on your host:
+
+adduser --system xen-qemudepriv-shared
+
+
+4) root
+As a last resort, libxl will start QEMU as root.
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 0c6408d..6981978 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -19,6 +19,8 @@
 
 #include "libxl_internal.h"
 #include <xen/hvm/e820.h>
+#include <sys/types.h>
+#include <pwd.h>
 
 static const char *libxl_tapif_script(libxl__gc *gc)
 {
@@ -439,6 +441,9 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
     int i, connection, devid;
     uint64_t ram_size;
     const char *path, *chardev;
+    struct passwd pwd, *user = NULL;
+    char *buf;
+    long buf_size;
 
     dm_args = flexarray_make(gc, 16, 1);
 
@@ -878,6 +883,44 @@ static char ** libxl__build_device_model_args_new(libxl__gc *gc,
         default:
             break;
         }
+
+        buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+        if (buf_size < 0) {
+            LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld", buf_size);
+            goto end_search;
+        }
+        buf = libxl__malloc(gc, buf_size);
+
+        if (c_info->name) {
+            getpwnam_r(libxl__sprintf(gc, "%s-%s",
+                        LIBXL_QEMU_USER_PREFIX, c_info->name),
+                    &pwd, buf, buf_size, &user);
+            if (user != NULL)
+                goto end_search;
+        }
+
+        getpwnam_r(LIBXL_QEMU_USER_BASE, &pwd, buf, buf_size, &user);
+        if (user != NULL) {
+            getpwuid_r(user->pw_uid + guest_domid, &pwd, buf, buf_size, &user);
+            if (user != NULL)
+                goto end_search;
+        }
+
+        LOG(WARN, "Could not find user %s-%s or user %s (+domid %d), falling back to %s",
+                LIBXL_QEMU_USER_PREFIX, c_info->name, LIBXL_QEMU_USER_BASE,
+                guest_domid, LIBXL_QEMU_USER_SHARED);
+        
+        getpwnam_r(LIBXL_QEMU_USER_SHARED, &pwd, buf, buf_size, &user);
+        if (user != NULL)
+            goto end_search;
+
+        LOG(WARN, "Could not find user %s, starting QEMU as root", LIBXL_QEMU_USER_SHARED);
+
+end_search:
+        if (user) {
+            flexarray_append(dm_args, "-runas");
+            flexarray_append(dm_args, user->pw_name);
+        }
     }
     flexarray_append(dm_args, NULL);
     return (char **) flexarray_contents(dm_args);
diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
index 8eb38aa..cf271b3 100644
--- a/tools/libxl/libxl_internal.h
+++ b/tools/libxl/libxl_internal.h
@@ -3692,6 +3692,10 @@ static inline void libxl__update_config_vtpm(libxl__gc *gc,
  */
 void libxl__bitmap_copy_best_effort(libxl__gc *gc, libxl_bitmap *dptr,
                                     const libxl_bitmap *sptr);
+
+#define LIBXL_QEMU_USER_PREFIX "xen-qemudepriv"
+#define LIBXL_QEMU_USER_BASE   LIBXL_QEMU_USER_PREFIX"-base"
+#define LIBXL_QEMU_USER_SHARED LIBXL_QEMU_USER_PREFIX"-shared"
 #endif
 
 /*
-- 
1.7.10.4

Re: [PATCH v2] run QEMU as non-root

[Ian Jackson]

Stefano Stabellini writes ("[PATCH v2] run QEMU as non-root"):
> +2) a user named "xen-qemudepriv-base", adding domid to its uid
> +If xen-qemudepriv-base has uid 6000, and the domid is 25, libxl will try
> +to use uid 6025. To use this mechanism, you might want to create a large
> +number of users at installation time. For example:

You should document explicitly, and not just in the example, that this
will require the reservation of 65536 uids from the uid of
xen-qemudepriv-base to that uid+65535.

> +        buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
> +        if (buf_size < 0) {
> +            LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld", buf_size);
> +            goto end_search;
> +        }
> +        buf = libxl__malloc(gc, buf_size);

This is not the correct use of getpwnam_r.  getpwnam_r is allowed to
fail with ERANGE even if the buffer you provide is as big as the
sysconf requested.

But: is qemu at this point actually multithreaded ?  If not then
plain getpwnam is probably better...

Ian.

Re: [PATCH v2] run QEMU as non-root

[Ian Campbell]

On Fri, 2015-05-15 at 15:28 +0100, Ian Jackson wrote:
> Stefano Stabellini writes ("[PATCH v2] run QEMU as non-root"):
> > +2) a user named "xen-qemudepriv-base", adding domid to its uid
> > +If xen-qemudepriv-base has uid 6000, and the domid is 25, libxl will try
> > +to use uid 6025. To use this mechanism, you might want to create a large
> > +number of users at installation time. For example:
> 
> You should document explicitly, and not just in the example, that this
> will require the reservation of 65536 uids from the uid of
> xen-qemudepriv-base to that uid+65535.
> 
> > +        buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
> > +        if (buf_size < 0) {
> > +            LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld", buf_size);
> > +            goto end_search;
> > +        }
> > +        buf = libxl__malloc(gc, buf_size);
> 
> This is not the correct use of getpwnam_r.  getpwnam_r is allowed to
> fail with ERANGE even if the buffer you provide is as big as the
> sysconf requested.
> 
> But: is qemu at this point actually multithreaded ?  If not then
> plain getpwnam is probably better...

This code is in libxl not qemu...

Ian.

Re: [PATCH v2] run QEMU as non-root

[Jim Fehlig]

Stefano Stabellini wrote:
> Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
> domid, finally "xen-qemudepriv-shared" and root if everything else fails.
>
> The uids need to be manually created by the user or, more likely, by the
> xen package maintainer.
>   

FYI, the libvirt qemu driver supports specifying a global uid:gid for
qemu processes in /etc/libvirt/qemu.conf.  The uid:gid can also be tuned
per-domain with something like

  <seclabel type='static' model='dac' relabel='yes'>
    <label>uid:gid</label>
  </seclabel>

The model is a bit different in Xen where only the associated qemu (not
the entire domain) would be running as uid:gid, so I'm not sure if this
is something you want to expose through libxl.

Regards,
Jim

Re: [PATCH v2] run QEMU as non-root

[Stefano Stabellini]

On Fri, 15 May 2015, Jim Fehlig wrote:
> Stefano Stabellini wrote:
> > Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
> > domid, finally "xen-qemudepriv-shared" and root if everything else fails.
> >
> > The uids need to be manually created by the user or, more likely, by the
> > xen package maintainer.
> >   
> 
> FYI, the libvirt qemu driver supports specifying a global uid:gid for
> qemu processes in /etc/libvirt/qemu.conf.  The uid:gid can also be tuned
> per-domain with something like
> 
>   <seclabel type='static' model='dac' relabel='yes'>
>     <label>uid:gid</label>
>   </seclabel>
> 
> The model is a bit different in Xen where only the associated qemu (not
> the entire domain) would be running as uid:gid, so I'm not sure if this
> is something you want to expose through libxl.

I think it might be a possibility. We could easily add options to set a
uid and gid per domain to be used for QEMU.