On Fri, 5 Dec 2025, at 07:59, Peter Krempa wrote: > On Thu, Dec 04, 2025 at 19:22:12 -0000, [email protected] wrote: >> Hello, >> >> I'm puzzled by how libvirtd manages access control. >> >> As far as I can tell, on my Fedora system it runs qemu and virtiofsd >> instances as user qemu. Yet, the qemu process apparently has read/write >> access to storage devices in /dev that only root has rw access for. >> Similarly, virtiofsd is able to write into shared directories that the qemu >> user does not have access to (confirmed by switching to qemu user with sudo). >> >> What is libvirtd (or virt-manager) doing to make this work? > > For entries in /dev/ libvirt creates a separate mount namespace for the > qemu process to run in and then adds all nodes which the VM definition > points to (the XML). These are then chown'd to 'qemu' user so that the > qemu process has access to it. All of that without modifying the host > /dev/. In case mount namespaces are disabled you'd see some node files > to be chown'd to qemu.
Ah, that makes sense. Thanks! > In the "system" (qemu:///system) privileged instance of libvirt > 'virtiofsd' still runs as root IIRC because it also wants to to be able > to honour UID changes from the guest on the host. Ah, right you are. Somehow I was assuming this would run as qemu as well. >> Then, as far as I can tell, there's lots of sockets with different >> permissions created by systemd in /run/libvirt (e.g. libvirt-admin-sock, >> libvirt-sock, libvirt-sock-ro). But since they're all passed to libvirtd as >> open file descriptors, I don't understand how they can give different levels >> of access (since libvirtd has no way of knowing which socket was used). > > Libvirt actually does know what socket you've used to connect to it and > actually also knows the UID of the connecting client. This allows > filtering access on a granular level with our ACL support. Hmm.. I'm still confused that none of the socket names are mentioned anywhere in the libvirtd config. For example, if I grep for `sock-ro` or `admin-sock` in /etc/libvirt, I get no matches. Do you know how I could find out what the default permissions are for each socket? And lastly, how do I tell virt-manager what socket to use? The qemu://system URL doesn't seem to directly map to any socket.... Thanks for all your help! Best, -Nikolaus
