qemu: Let users opt-out from containerization

Given how intrusive previous patches are, it might happen that
there's a bug or imperfection. Lets give users a way out: if they
set 'namespaces' to an empty array in qemu.conf the feature is
suppressed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index f3cc9e684354838fa41d338fe1b251ebd1a918dc..de723b2543b062d7702d2e914213ae3383febb11 100644 (file)
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -70,6 +70,7 @@ module Libvirtd_qemu =
                  | str_array_entry "cgroup_controllers"
                  | str_array_entry "cgroup_device_acl"
                  | int_entry "seccomp_sandbox"
+                 | str_array_entry "namespaces"
 
    let save_entry =  str_entry "save_image_format"
                  | str_entry "dump_image_format"

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 2b2bd6031f7b3db244be51543a3df14d1a159d46..a8cd369cbaf246187f8437892c3a7a5fee420a79 100644 (file)
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -665,3 +665,11 @@
 # Defaults to 4
 #
 #gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of creating private namespaces
+# for each domain started. Well, so far only "mount" namespace is supported. If
+# enabled it means qemu process is unable to see all the devices on the system,
+# only those configured for the domain in question. Libvirt then manages
+# devices entries throughout the domain lifetime. This namespace is turned on
+# by default.
+#namespaces = [ "mount" ]

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 23a5504e18aa61797ae121d2b83152708406df18..86170fb7ae3526cabd1fee594a5191f942afbec0 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -314,6 +314,12 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
     cfg->glusterDebugLevel = 4;
     cfg->stdioLogD = true;
 
+    if (!(cfg->namespaces = virBitmapNew(QEMU_DOMAIN_NS_LAST)))
+        goto error;
+
+    if (virBitmapSetBit(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT) < 0)
+        goto error;
+
 #ifdef DEFAULT_LOADER_NVRAM
     if (virFirmwareParseList(DEFAULT_LOADER_NVRAM,
                              &cfg->firmwares,
@@ -349,6 +355,7 @@ static void virQEMUDriverConfigDispose(void *obj)
 {
     virQEMUDriverConfigPtr cfg = obj;
 
+    virBitmapFree(cfg->namespaces);
 
     virStringListFree(cfg->cgroupDeviceACL);
 
@@ -433,6 +440,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     char **hugetlbfs = NULL;
     char **nvram = NULL;
     char *corestr = NULL;
+    char **namespaces = NULL;
 
     /* Just check the file is readable before opening it, otherwise
      * libvirt emits an error.
@@ -798,6 +806,31 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     if (virConfGetValueUInt(conf, "gluster_debug_level", &cfg->glusterDebugLevel) < 0)
         goto cleanup;
 
+    if (virConfGetValueStringList(conf, "namespaces", false, &namespaces) < 0)
+        goto cleanup;
+
+    if (namespaces) {
+        virBitmapClearAll(cfg->namespaces);
+
+        for (i = 0; namespaces[i]; i++) {
+            int ns = qemuDomainNamespaceTypeFromString(namespaces[i]);
+
+            if (ns < 0) {
+                virReportError(VIR_ERR_CONF_SYNTAX,
+                               _("Unknown namespace: %s"),
+                               namespaces[i]);
+                goto cleanup;
+            }
+
+            if (virBitmapSetBit(cfg->namespaces, ns) < 0) {
+                virReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("Unable to enable namespace: %s"),
+                               namespaces[i]);
+                goto cleanup;
+            }
+        }
+    }
+
     ret = 0;
 
  cleanup:

diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d191e10565b90f5615e53add290f48e6d9bcea7c..92a7a50278b88834513cc69330fc543e3a1f9db9 100644 (file)
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -90,6 +90,8 @@ struct _virQEMUDriverConfig {
     gid_t group;
     bool dynamicOwnership;
 
+    virBitmapPtr namespaces;
+
     int cgroupControllers;
     char **cgroupDeviceACL;
 

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 52fe7c01aa748542e3c8f4097f12e6a1ee5f54b6..12114ce700761dedd26e58ae67bb26c903d50161 100644 (file)
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7366,7 +7366,8 @@ qemuDomainCreateNamespace(virQEMUDriverPtr driver,
     char **devMountsPath = NULL;
     size_t ndevMountsPath = 0, i;
 
-    if (!virQEMUDriverIsPrivileged(driver)) {
+    if (!virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT) ||
+        !virQEMUDriverIsPrivileged(driver)) {
         ret = 0;
         goto cleanup;
     }

diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index f586e956deff9e81561acfae6d4a5e0f40307c1a..a749f09004561a967b4c0afbd517e5f098945fe2 100644 (file)
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -91,3 +91,6 @@ module Test_libvirtd_qemu =
 }
 { "stdio_handler" = "logd" }
 { "gluster_debug_level" = "9" }
+{ "namespaces"
+    { "1" = "mount" }
+}