Description

Use libvirt ACLs to grant a user access to only a single VM.

This is for the Fedora 20 feature Virt ACLs

Setup

Functioning virt host and VM. All VM OS welcome. Requires at least Fedora 20 for the host.

How to test

Configure libvirt to use ACLs

By default the ACL backend is turned off. Let's turn it on:

• Switch to root: su -
• Open /etc/libvirt/libvirtd.conf
• Uncomment the line: #access_drivers = [ "polkit" ]
• Restart libvirtd: service libvirtd restart

Give restricted access to a single VM

We define the access logic in polkit rules files. Here we are going to: allow the user to connect to qemu:///system, but _only_ print info about the VM test-day-vm

• As root, edit a new file: /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
• Paste the following content, replacing MY-USER with your unix username:

// Allow passwordless connection to qemu:///system
polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" &&
      subject.user == "MY-USER") {
      return polkit.Result.YES;
  }
});

// Allow user to read basic info about 'test-day-vm'
polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.api.domain.getattr" &&
        subject.user == "MY_USER") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("domain_name") == 'test-day-vm') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }
});

• Save that file and exit. Restarting libvirtd is not required.
• Verify that libvirt is filtering the domain list:

$ virsh --connect qemu:///system list --all
 Id    Name                           State
----------------------------------------------------
 58    test-day-vm                    running

• However note that an action like 'suspend' is denied

$ virsh --connect qemu:///system suspend test-day-vm
error: Failed to suspend domain test-day-vm
error: access denied

Provide full access to a single VM

This is not secure.
Providing full access to a VM means the user can alter the VM config to wreak havoc on the host. This is just a demonstration.

• As root, open /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
• Remove the replace the last rule block with the following block, again replacing MY-USER with your username:

// Give full access to 'test-day-vm'
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
        subject.user == "MY_USER") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("domain_name") == 'test-day-vm') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }
});

• Verify that you can now perform an action on the VM, like suspend (pause) or start

$ virsh --connect qemu:///system suspend test-day-vm
Domain test-day-vm suspended

Cleanup

• /etc/polkit-1/rules.d/99-my-test-day-libvirt.rules
• Undo the libvirtd conf changes listed above and restart libvirtd.

Expected Results

No obvious errors occur, all results are as indicated.

Additional info

This is the tip of the iceberg for ACLs. Complete docs are at:

• http://libvirt.org/acl.html
• http://libvirt.org/aclpolkit.html
• http://fedoraproject.org/wiki/Changes/Virt_ACLs