[Bug 522845] [NEW] compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor

Jamie Strandboge jamie at ubuntu.com
Tue Feb 16 20:49:32 GMT 2010 

Public bug reported:

libvirt in 10.04 is now compiled with libcap-ng. According to http://libvirt.org/drvqemu.html#securitycap this will affect QEMU/KVM access to files if libvirt is configured to launch VMs as root (the default in Ubuntu, see bug #522619 for why). From the libvirt.org page:
"The Linux capability feature is thus aimed primarily at the scenario where the QEMU processes are running as root. In this case, before launching a QEMU virtual machine, libvirtd will use libcap-ng APIs to drop all process capabilities. It is important for administrators to note that this implies the QEMU process will only be able to access files owned by root, and not files owned by any other user."

As it happens, the AppArmor security driver (which is enabled by
default) disallows the SETPCAP capability, which is needed to drop these
capabilities. As such, these capabilties is not dropped and libvirt
behaves in much the same way as it would without being compiled with
libcap-ng, like in previous releases of Ubuntu (this is not a security
issue because the VM is confined by a restrictive AppArmor profile).
This means that accesses VMs in $HOME still work.

However (and this is where the potential problem is) if someone disables the AppArmor security driver or adds this capability to the AppArmor profile, then SETPCAP is available and any VMs that need access to disk files, etc not owned by root will break with the following in /var/log/libvirt/qemu/<machine>.log:
qemu: could not open disk image /home/.../disk0.qcow2: Permission denied

This could be a serious regression for people using QEMU/KVM without
AppArmor.

ProblemType: Bug
Architecture: i386
Date: Tue Feb 16 14:30:49 2010
DistroRelease: Ubuntu 10.04
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100130)
Package: libvirt-bin 0.7.5-5ubuntu7
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.utf8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-13.18-generic
SourcePackage: libvirt
Uname: Linux 2.6.32-13-generic i686

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: Triaged


** Tags: apport-bug i386 lucid

-- 
compiling with libcap-ng disallows qemu/kvm access to files not owned by root when not using AppArmor
https://bugs.launchpad.net/bugs/522845
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.

More information about the Ubuntu-server-bugs mailing list