[Kimchi-devel] [RFC][PATCH V3 3/3] Don't allow templates to be created with ISOs that won't be usable.

shaohef at linux.vnet.ibm.com shaohef at linux.vnet.ibm.com
Mon Mar 10 15:02:00 UTC 2014


From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>

qemu can't use an ISO if it has no search permission on the directories
containing the file.
Return an error explaning this, and suggest the way to fix it.

http://libvirt.org/drvqemu.html#securitydac
In the "session" instance, the POSIX users/groups model restricts QEMU
virtual machines (and libvirtd in general) to only have access to
resources with the same user/group ID as the client application. There
is no finer level of configuration possible for the "session" instances.

If QEMU virtual machines from the "system" instance are being run as
non-root, there will be greater restrictions on what host resources the
QEMU process will be able to access. The libvirtd daemon will attempt to
manage permissions on resources to minimise the likelihood of
unintentional security denials

Any files/devices used as guest disk images must be accessible to
the user/group ID that QEMU guests are configured to run as. The
libvirtd daemon will automatically set the ownership of the file/device
path to the correct user/group ID. Applications / administrators must be
aware though that the parent directory permissions may still deny
access. The directories containing disk images must either have their
ownership set to match the user/group configured for QEMU, or their UNIX
file permissions must have the 'execute/search' bit enabled for
'others'.

The simplest option is the latter one, of just enabling the
'execute/search' bit. For any directory to be used for storing disk
images, this can be achieved by running the following command on the
directory itself, and any parent directories

    chmod o+x /path/to/directory

    In particular note that if using the "system" instance and
attempting to store disk images in a user home directory, the default
permissions on $HOME are typically too restrictive to allow access.

Signed-off-by: Christy Perez <christy at linux.vnet.ibm.com>
Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
---
 src/kimchi/i18n.py            |  5 +++++
 src/kimchi/model/templates.py | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/kimchi/i18n.py b/src/kimchi/i18n.py
index 3108921..1ae3889 100644
--- a/src/kimchi/i18n.py
+++ b/src/kimchi/i18n.py
@@ -54,6 +54,11 @@ messages = {
     "KCHISO0005E": _("Invalid El Torito boot indicator in ISO %(filename)s"),
     "KCHISO0006E": _("Unexpected volume type for primary volume in ISO %(filename)s"),
     "KCHISO0007E": _("Bad format while reading volume descriptor in ISO %(filename)s"),
+    "KCHISO0008E": _("The hypervisor doesn't have permission to use this ISO %(filename)s. "
+                     "Consider moving it under /var/lib/libvirt,  or set the search permission "
+                     "to file access control lists for '%(user)s' user if possible, or add the "
+                     "'%(user)s' to the ISO path group, or (not recommended) 'chmod -R o+x 'path_to_iso'."
+                     "Details: %(err)s" ),
 
     "KCHVM0001E": _("Virtual machine %(name)s already exists"),
     "KCHVM0002E": _("Virtual machine %(name)s does not exist"),
diff --git a/src/kimchi/model/templates.py b/src/kimchi/model/templates.py
index 2e66a94..5376b6c 100644
--- a/src/kimchi/model/templates.py
+++ b/src/kimchi/model/templates.py
@@ -25,7 +25,9 @@ import libvirt
 
 from kimchi import xmlutils
 from kimchi.exception import InvalidOperation, InvalidParameter
+from kimchi.kvmusertests import UserTests
 from kimchi.utils import pool_name_from_uri
+from kimchi.utils import probe_file_permission_as_user
 from kimchi.vmtemplate import VMTemplate
 
 
@@ -36,8 +38,17 @@ class TemplatesModel(object):
 
     def create(self, params):
         name = params.get('name', '').strip()
+        iso = params['cdrom']
+        # check search permission
+        if iso.startswith('/') and os.path.isfile(iso):
+            user = UserTests().probe_user()
+            ret, excp = probe_file_permission_as_user(iso, user)
+            if ret is False:
+                raise InvalidParameter('KCHISO0008E',
+                                       {'filename': iso, 'user': user,
+                                        'err': excp})
+
         if not name:
-            iso = params['cdrom']
             iso_name = os.path.splitext(iso[iso.rfind('/') + 1:])[0]
             name = iso_name + str(int(time.time() * 1000))
             params['name'] = name
-- 
1.8.4.2




More information about the Kimchi-devel mailing list