Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libvirtd: polkit integration, security fixes #87576

Merged
merged 2 commits into from May 13, 2020
Merged

libvirtd: polkit integration, security fixes #87576

merged 2 commits into from May 13, 2020

Conversation

offlinehacker
Copy link
Contributor

Motivation for this change

Currently if libvirtd module is enabled anyone can access libvirtd socket (not only read only), since sockets has wide read and write permissions. This is by design, since in most distros polkit is enabled and polkit does auth/authz checks. In nixos (polkit) auth was disabled and it was thought security was enforced by unix_sock_rw_perms, but it was not, since sockets were created by systemd with wide open permissions.

Anyway, enabling polkit authorization fixes all that and enables additional rules to be created. A default rule is that anyone with access to libvirtd group has access to libvirt, which is the same as in other distros.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@offlinehacker offlinehacker requested review from volth and xeji May 11, 2020 04:20
@ofborg ofborg bot requested review from fpletz and globin May 11, 2020 04:28
bjornfor
bjornfor approved these changes May 11, 2020
View reviewed changes
Copy link
Contributor

@bjornfor bjornfor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: 2nd commit should have "nixos/libvirtd" prefix.

@offlinehacker
Copy link
Contributor Author

fixed, thanks

@offlinehacker offlinehacker changed the title Pkgs/libvirtd/polkit libvirtd: polkit integration, security fixes May 12, 2020
@offlinehacker
Copy link
Contributor Author

@GrahamcOfBorg build libvirt

@offlinehacker
Copy link
Contributor Author

I will merge this as it presents a security issue, where it is very easy to compromise nixos workstation running libvirtd. I am also using libvirt for some time with this configuration without any issues.

@offlinehacker offlinehacker merged commit 9a29fe5 into NixOS:master May 13, 2020
@offlinehacker
Copy link
Contributor Author

Good catch I will create new pull request that explicitly enables polkit.

@jakobrs
Copy link
Contributor

jakobrs commented Aug 7, 2020

Can this be backported?

This was referenced Aug 7, 2020
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bjornfor bjornfor bjornfor approved these changes

@ajs124 ajs124 ajs124 approved these changes

@xeji xeji Awaiting requested review from xeji

@fpletz fpletz Awaiting requested review from fpletz

@globin globin Awaiting requested review from globin

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 11-100 10.rebuild-linux: 11-100
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@offlinehacker @jakobrs @bjornfor @ajs124