Re: [Qemu-devel] Re: [PATCH 0/4] net-bridge: rootless bridge support for qemu

[Anthony Liguori]

Michael S. Tsirkin wrote:
> > Well it doesn't really help with the issue of privileges which is what  
> > this series is really about.
> >
> > Regards,
> >
> > Anthony Liguori
> >     
>
> I note that by default you grant all users all access.
> If you do that, just give them net cap admin already?
>   

By default, I give no users any access.

qemu-bridge-helper carries cap_net_admin but it doesn't do everything 
cap_net_admin does.  Since an administrator has to set that capability, 
the admin is going to make it owned by root so that an unprivileged user 
cannot change it.  Modulo bugs, it's a very restricted subset of 
cap_net_admin.

In order for a user to be able to get a tap device connected to a 
bridge, the following things must be true:

1) the user must have execute privileges for qemu-bridge-helper
2) the user must have read/write access to /dev/net/tun
3) there must be an /etc/qemu/bridge.conf that is readable by the user
4) the config must have an explicit rule allowing access to the required 
bridge device

So the user is very restricted in what they can do and they must be 
granted these permissions explicitly by an administrator.  By using 
multiple bridge.conf files, an administrator can also create policies 
based on filesystem permissions allowing certain user/groups to access 
only certain bridges.

With raw, qemu must carry cap_net_raw.   That is definitely not safe for 
an untrusted user.  Allowing an untrusted user to connect a VM to a 
bridged physical network, on the other hand, seems to be a rather safe 
thing to do as long as there are strongly ways to control which bridges 
they can connect to.

Regards,

Anthony Liguori