Doc Text:
|
Cause:
When starting up a guest libvirt needs to prepare all the files that qemu is going to touch. This involves setting up security labels, i.e. DAC labels (aka user:group owners), and SELinux labels so that qemu can access desired files. At the same time, when 'remember_owner' is set in qemu.conf (or if commented out it's on by default), libvirt uses extended attributes (aka XATTRs) to record original labels, so that they can be restored back when qemu shuts down. This comes handy when the file is in user's $HOME (e.g. installation ISO) - because once qemu no longer uses it, the file has original owner/SELinux label and thus ordinary user doesn't lose access to it.
However, the XATTRs are a bit tricky - each security driver (= piece of code that handles only DAC, or only SELinux) uses its own namespace (so that they are independent) and also has their own reference counter (the reference counter reflects how many times given file is in use). This means that each file has two reference counters - one for DAC and one for SELinux. Ideally, these are in sync - the file has both labels after all.
Anyway, libvirt does perform a rollback, that is - a list of [path; desired DAC label] pairs is gathered and then set at once. The same applies for SELinux labels (this means we have two independent lists). If something goes wrong while processing the list, a rollback is performed => the original owner is restored. However, libvirt did not perform rollback on DAC list when applying SELinux list failed.
Another way to look at this (leaving out 'remember_owner' feature completely) is: when setting up labels DAC labels are set first (i.e. chown) and only after that SELinux labels are set (i.e. chcon). But, if setting up DAC labels succeeded and setting up SELinux failed, the files were left with DAC labels changed which creates a vulnerability.
Consequence:
If setting up SELinux labels failed at some point, the XATTR refcounter for DAC would increase (if remember_owner is enabled, which is default), and/or all files configured for the domain (disks, sockets, ...) are left with the owner that domain was configured to run under (if remember_owner is disabled).
Fix:
The fix consists of performing a rollback on DAC driver when SELinux driver fails.
Result:
The XATTR refcounter for DAC no longer increases and files keep their original owner.
|