** Description changed: libvirt in 10.04 is now compiled with libcap-ng. According to http://libvirt.org/drvqemu.html#securitycap this will affect QEMU/KVM access to files if libvirt is configured to launch VMs as root (the default in Ubuntu, see bug #522619 for why). From the libvirt.org page: "The Linux capability feature is thus aimed primarily at the scenario where the QEMU processes are running as root. In this case, before launching a QEMU virtual machine, libvirtd will use libcap-ng APIs to drop all process capabilities. It is important for administrators to note that this implies the QEMU process will only be able to access files owned by root, and not files owned by any other user." As it happens, the AppArmor security driver (which is enabled by default) disallows the SETPCAP capability, which is needed to drop these - capabilities. As such, these capabilties is not dropped and libvirt + capabilities. As such, these capabilties are not dropped and libvirt behaves in much the same way as it would without being compiled with libcap-ng, like in previous releases of Ubuntu (this is not a security issue because the VM is confined by a restrictive AppArmor profile). - This means that accesses VMs in $HOME still work. + This means that accessing VMs in $HOME still work. However (and this is where the potential problem is) if someone disables the AppArmor security driver or adds this capability to the AppArmor profile, then SETPCAP is available and any VMs that need access to disk files, etc not owned by root will break with the following in /var/log/libvirt/qemu/<machine>.log: qemu: could not open disk image /home/.../disk0.qcow2: Permission denied This could be a serious regression for people using QEMU/KVM without AppArmor. ProblemType: Bug Architecture: i386 Date: Tue Feb 16 14:30:49 2010 DistroRelease: Ubuntu 10.04 InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130) Package: libvirt-bin 0.7.5-5ubuntu7 ProcEnviron: - PATH=(custom, user) - LANG=en_US.utf8 - SHELL=/bin/bash + PATH=(custom, user) + LANG=en_US.utf8 + SHELL=/bin/bash ProcVersionSignature: Ubuntu 2.6.32-13.18-generic SourcePackage: libvirt Uname: Linux 2.6.32-13-generic i686
-- compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor https://bugs.launchpad.net/bugs/522845 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
