+1 @Marcus: This is also something on my wish list :-)
@Nux: When we look at SELinux, we should also make it work with AppArmor (Ubuntu). I think it should not be too hard to fix this for the KVM agent, as both provide tools to record the permissions and create profiles. But you never know what you run into ;-) Regards, Remi 2015-04-24 2:30 GMT+02:00 Nux! <n...@li.nux.ro>: > Good proposition. > Personally I would like to see support for Selinux and separation between > VMs. > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- > > From: "Marcus" <shadow...@gmail.com> > > To: dev@cloudstack.apache.org > > Sent: Friday, 24 April, 2015 00:17:09 > > Subject: KVM securing root > > > Has anyone had experience with securing the KVM agent, specifically > > getting it to run as non-root. I've looked a bit, and I believe it > > would require code changes. An initial, simple plan for this (that > > involves code fixes) might be to do something like: > > > > 1) generate a list of included scripts during packaging and create a > > file for /etc/sudoers.d to allow a cloudstack user to run these. User > > and sudoers file are added by the package (?) > > 2) make sure the libvirt socket is owned by the cloudstack group in > > /etc/libvirt/libvirtd.conf > > 3) change the code to pass the sudo boolean to every Script command > > 4) audit for any other hardcoded root paths (e.g. the ssh keys dir) or > > system commands needed > > 5) change init script to launch agent as cloudstack user > > > > Obviously this doesn't go all the way into auditing how all of the > > scripts act, or path issues, etc, but it could be a good first step. > > It would protect against malicious strings passed as parameters to > > these scripts, but perhaps not in cases were they might be escaped at > > the first exec and run by the script itself. > > > > Alternatively, we could audit all of the scripts, adding sudo where > > necessary and manually including those into a sudoers.d config. > > > > As an in-between, we could add all of the packaged scripts to a > > sudoers file, and remove them slowly as we audit each script. >
