[Pkg-libvirt-maintainers] Bug#781283: libvirt: workaround with clear_emulator_capabilities = 0
Frank G
debian_bugs at greenant.net
Wed May 30 05:56:23 BST 2018
Source: libvirt
Followup-For: Bug #781283
I have managed to workaround this issue with the following settings in /etc/libvirt/qemu.conf:
clear_emulator_capabilities = 0
user = "root"
group = "root"
This is tested using a KVM virtual machine (Debian Stretch) with the following definintion:
<filesystem type='mount' accessmode='passthrough'>
<source dir='/mnt/share'/>
<target dir='share'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</filesystem>
and the following /etc/fstab entry
share /mnt/share/ 9p rw,nodev,relatime,sync,dirsync,access=client,trans=virtio 0 0
I tried a number of different permission settings before disabling clear_emulator_capabilities.
However, this was the only way to permit permission changes to files or normal users (apart from root) to own files.
I am concerned by the potential security implications of this change as it may expose higher privileges for the guest KVM machines.
It would be great if there were a way to support 9pfs passthrough without escalating privilegs using this setting.
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (450, 'stable'), (10, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/40 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
More information about the Pkg-libvirt-maintainers
mailing list