[pve-devel] Running KVM as root is a security issue

[Wolfgang Bumiller]

> Exit scripts could be suid if needed. 

Scripts cannot be suid, because the executable is their interpreter, iow
/bin/sh, which
in turn is not setuid-root.

> The exit scripts could simply notify some other privlidged process 
> that they are shutting down. 

This is better. Even better would be a monitoring process that doesn't need to
be signaled.
(Coincidentally, this would also add the possibility of adding reliably-fired
exit-time hooks.)

>> Can qemu create the tap interface without root privilege ?
(...)
> tunctl -t tap0 -u myuser

Create - no, but they can be assigned a user.
The iproute2 version of the above command would be:
$ ip tuntap add tap0 mode tap user myuser

You can even mknod them into a node-file (which is how they work on BSDs.)

Also, qemu has a helper-script parameter which can be used to have them created.
This would have to be a compiled program and doesn't even need to be suid-root -
all
it needs is CAP_NET_ADMIN.

There are a few ioctls that the user cannot issue to tap devices, though, I'm
not sure qemu
needs those. (socat for instance fails on taps as a user). But this can be
easily patched
if necessary.

Personally I'd like to generally aim for a whitelist permission model.
I.o.w.: never actually use root or setuid-root executables, but provide
the necessary POSIX capabilities, apparmor permissions and
filesystem access. But I fear it's a long and rocky road to get there.