Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: KVM/QEMU - how do I allow regular users to crate / view VM

  1. #11
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,046
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    A FYI

    This topic and various options for authentication including granting ordinary User rights to all management functions, alternate authentication and more is covered in the SUSE 11 SP4 documentation (which should apply 100% to openSUSE as well)

    https://www.suse.com/documentation/s...t.connect.auth

    As described in the reference,
    Local management <should> be based on Unix Sockets ownership by default, and that should be root/root.
    Assuming that you don't enable an alternative method of authentication, then there are two main ways to overcome root-only management, which are to add the User to the libvirt User Group or modifying PolicyKit.

    I'm not in front of a recently built KVM/libvirt HostOS right now,
    but the documentation <suggests> that by default ordinary Users <might> be able to read, but not actively modify or create/delete Guests. The reference does not mention start/stop Guests which would be an executable permission which conceivably would not require a write permission.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  2. #12
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,109

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    On Tue, 24 Oct 2017 15:36:01 +0000, F style wrote:

    > In other words, I always need to enter root privileges just to start a
    > virtual machine through Virtual machine manager, which is why I'm
    > fearful of, say, using Firefox -and on email- or IRC client while at
    > same time VM running.


    Just because you've started a VM in one terminal window as root doesn't
    mean everything running on your system is running as root. If you're
    logged into the desktop as a regular user and you launch Firefox/IRC/
    whatever on the desktop (using the icons or a second terminal window),
    those are running as the desktop user - not as root.

    In a terminal window, you can type:

    ps aux

    and see in the first column what various processes are running as (and
    before you panic at the number of running processes, remember that there
    are a lot of standard background processes running - things like kworker
    threads are *normal* and nothing to worry about or panic about. The
    important thing is to see the first column showing the user that each
    process is running as.)

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  3. #13
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,046
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    An FYI on this Forum thread...

    Perhaps I personally should have done less assuming and applied myself to KVM/QEMU security assuming nothing a long time ago.
    So, have done some quick skimming of relevant articles addressing what I feel is a really serious security hole, on a personal machine perhaps allowing User direct access to managing virtualization can be YMMV but should be considered an extremely serious issue of the highest importance in a Production deployment.

    Since I've only been looking into this for a very short time, currently anything I post on this should be considered "In Progress" and advice that must be double-checked. Maybe after some extensive reading and testing I might feel like posting something that might be considered authoritative in the future... But, unless I run into someone who is expert on this topic, it'll likely be awhile...

    What I'm writing here is preliminary and although is primarily about KVM/QEMU, it's likely applicable to all community virtualization and probably doesn't apply to commercial products (like VMware).

    It should also be noted that SUSE and openSUSE documentation is completely silent on virtualization security, and describe only general machine security. Virtualization security requires additional steps and/or knowledge.

    First, the libvirt architecture is the right design, it separates management completely from running Guests, and that extends also to the security model. This means that no matter how you configure access to libvirt User tools, the Guests run in a different security context which is a dedicated non-login User account "qemu." The consequence is multi-fold and includes the fact that if somehow a Guest process escaped its sandbox, it could be limited in what it might see or access including HostOS files and physical hardware.

    I'm a bit dismayed that kvm and qemu commands don't apply a similar architecture, one way by applying similar permission management on the API level which AFAIK is quite do-able. And so, by default as people have posted in this thread ordinary Users can use scripting commands to access virtualization management because that's the Linux default.

    Therefor,
    IMO the first step then should be to find all the alternate ways of managing virtualization other than by libvirt, and their permissions should be set to deny access by the setuid or setgid bits for non-root Users... And there are many kvm and qemu binaries to modify. Maybe an AppArmor or SELinux policy should be built to do this.

    Next step is to decide what security policy to apply.
    Although AppArmor is default on an openSUSE/SUSE, IMO SELinux should be strongly considered because AppArmor application flexibility likely isn't needed for a Production HostOS machine which should be a single purpose machine anyway.

    If you do decide to switch over to SELinux, do so(there was another thread about how to do this within the past couple months in these Forums which I also posted in), then IMO the following RedHat documentation should apply completely except possibly the sections on sVirt (I'm still researching if that is available on openSUSE/SUSE)

    https://access.redhat.com/documentat...uide-en-US.pdf

    As far as openSUSE/SUSE support for SELinux/sVirt, I only found some incomplete attempts to build some modules about 8 months ago.
    sVirt is optional but might not be possible on an openSUSE/SUSE SELinux today, but a nice feature if available. This is one of those things I'm going to research that will take time. sVirt is <very> desirable, for those situations where you want to grant multiple Users rights to manage your virtualization, adding the Users to the libvirtd group enables each User full access to every virtualization management function. sVirt allows you to set fine-grained rights, so for instance some Users can be granted rights to start/stop Guests but not to further modify or create new Guests.

    One of the benefits of choosing SELinux is that there are more published articles about using it to lock down a HostOS, but you can stay with AppArmor, too. If you do so, the following article describes how to configure Appmor but it seems that AppArmor support for sVirt is not available today. Even if you use AppArmor, read the above Red Hat reference for general configuration best practices, in particular security issues relating to configuring Guest direct access to raw/physical devices and file systems, and access to hardware peripherals.

    http://wiki.apparmor.net/index.php/Libvirt

    HTH and Stay Safe,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #14
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,023

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by tsu2 View Post
    Next step is to decide what security policy to apply.
    Although AppArmor is default on an openSUSE/SUSE, IMO SELinux should be strongly considered because AppArmor application flexibility likely isn't needed for a Production HostOS machine which should be a single purpose machine anyway.
    SELinux is an amazing pile of ******.
    There is absolutely no scenario I can see, ANYWHERE, where the benefits of having to spend hours on end configuring selinux policies would outweight the miniscule security you gain from it.

    Zero usability, zero benefit.
    Last edited by hendersj; 27-Oct-2017 at 09:49. Reason: Language
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  5. #15
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,046
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Quote Originally Posted by Miuku View Post
    SELinux is an amazing pile of ******.

    There is absolutely no scenario I can see, ANYWHERE, where the benefits of having to spend hours on end configuring selinux policies would outweight the miniscule security you gain from it.

    Zero usability, zero benefit.


    Nobody wants to create SELinux policy.
    So, just apply a policy someone else created.
    Unless your machine does something other than what the SELinux policy configures this practice of using someone else' work should work fine and in this case a Production HostOS should be a dedicated Virtualization HostOS and nothing more.

    Agreeing but only so far,
    TSU
    Last edited by hendersj; 27-Oct-2017 at 09:49. Reason: Quoted language
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #16
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,046
    Blog Entries
    2

    Default Re: KVM/QEMU - how do I allow regular users to crate / view VM

    Small update:

    Apparently today sVirt has been fully integrated into libvirt so it might be that no additional modules may be needed.

    Will need to research this when I next get an opportunity (or someone beats me to it).

    As I posted above,
    sVirt might be fully implemented only if you switch from Apparmor to SElinux, and is implemented only through libvirt.

    A more full description of sVirt features and design objectives
    http://selinuxproject.org/page/Svirt_requirements_v1.0

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •