#765936 bridge network type does not work for non-root

Package:
qemu-system-common
Source:
qemu
Description:
QEMU full system emulation binaries (common files)
Submitter:
Adam Borowski
Date:
2022-06-14 17:09:04 UTC
Severity:
wishlist
Tags:
#765936#5
Date:
2014-10-19 11:33:53 UTC
From:
To:
Hi!
In order to have non-crippled networking (ie, better than the user mode
stack), one needs to either use tap (via qemu-bridge-helper) or a far more
complex setup using vlan.  The helper requires the setuid bit to work, yet
is shipped without it.  I understand the rationale, yet in the current way
the package works, the setuid bit disappears after every qemu upgrade,
making networking "mysteriously" stop working.

Thus, could you please preserve this bit of configuration in some way?

#765936#10
Date:
2014-10-19 12:34:49 UTC
From:
To:
This configuration is unsupported, until proper security model is implemented
upstream.

Thanks,

/mjt

#765936#15
Date:
2014-11-11 07:23:41 UTC
From:
To:
19.10.2014 16:34, Michael Tokarev wrote:

Actually this is the same theme as #766664, merging the two.

Thanks,

/mjt

#765936#26
Date:
2015-05-19 14:12:18 UTC
From:
To:
Hi,

From what I have read elsewhere, it looks like that you need to whitelist
the bridges on which qemu-system-helper can attach new devices (via
/etc/qemu/bridge.conf).

This seems like a reasonable balance if the whitelist is empty by default?

Or if the whitelist only includes the "virbr0" that libvirt setups
for basic NAT networking in VM...

Note that GNOME Boxes for example needs this helper to work in order
to provide a sane networking setup where the host can access the VM:
https://bugzilla.gnome.org/show_bug.cgi?id=677688

At the very least, you could document how users can opt to re-enable
permanently the setuid bit with "dpkg-statoverride" (and ensure that
the package doesn't mess with this).

Please reconsider your position on this topic.

Cheers,

#765936#33
Date:
2017-03-17 11:27:44 UTC
From:
To:
Hi,

Having the binary only executable by group kvm (which is needed for
sensible virt performance) and doing a

     setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper

and not a full u+s would further limit the attack surface. Having
gnome-boxes work out of the box in Stretch would be great.
Cheers,
 -- Guido

#765936#38
Date:
2018-05-24 16:08:42 UTC
From:
To:
Hi,

Any chance this can get fixed?
 -- Guido

#765936#43
Date:
2021-11-26 08:58:05 UTC
From:
To:
Hello,

I've reached this issue after experiencing the same issue.

Everytime I upgrade the `qemu-system-common` package (currently I have
1:6.1+dfsg-8) the suid bit on /usr/lib/qemu/qemu-bridge-helper is reset
and I have to manually set that again by applying the suggestion that is
most commonly found around:

$ sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper

It would be great if the upgrade process would not interfere with this
decision of the user.

Also is this comment still relevant to the issue?

Thanks!

Best,

#765936#48
Date:
2022-06-13 22:15:24 UTC
From:
To:
The original rationale is stated here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691138#10

...with a specific complaint:
 > For example, initially the helper always created interfaces in the
 > form tapNN (picking up next free number).  This way, it weren't
 > possible to know which iface will be in use by which guest, and
 > hence, for example, firewall rules can't be created for this
 > iface by system administrator.  Recently upstream added ability
 > to specify interface name from command line, but now it accepts
 > any interface, including ones which are used by the system -
 > eg, pppNN, for which firewall rules already created.

I'm by no means an expert on this, but I looked into this as best I
could. My findings were:

1. As stated earlier in this bug, the name of the target bridge
interface must be allowed via /etc/qemu/bridge.conf. This is sort-of
documented in:
https://wiki.qemu.org/Features/HelperNetworking

...with more details about per-user access control in the commit message:
https://github.com/qemu/qemu/commit/bdef79a2994d6f0383e07e9597675711662b3031

My testing showed that:
* When /etc/qemu/bridge.conf does not exist, the helper errors out.
* When the conf is empty, the helper errors out.
* When the conf has no matching ACL, the helper errors out.
* When the conf has a matching ACL, the helper succeeds.

I didn't test the per-user ACL functionality, but at least for baseline
functionality, the handling of the user-supplied bridge name seems secure.


2. The actual complaint quoted above was about the creation of the tap
devices, though, not the bridge. As far as I can tell, the helper does
not actually accept any user specification of the tap device naming.
Devices are still created as "tapN" (with the kernel picking the next
available number).
https://github.com/qemu/qemu/blob/f761b41a62c8ac12f26727dddc7ae1dd3ca9802b/qemu-bridge-helper.c#L348

I don't see anywhere in the code that renames the tap interface either,
and my testing via libvirt shows that interfaces remain named e.g.
"tap0" (libvirt doesn't seem to rename them either).


3. I also checked the usage of the supplied FD, which could have
potentially been used for user input. This socket is never read from,
however; the only use is to send the FD for /dev/net/tun back to the
parent via a control message.
https://github.com/qemu/qemu/blob/f761b41a62c8ac12f26727dddc7ae1dd3ca9802b/qemu-bridge-helper.c#L442

This FD is opened read/write, but that is not a problem, since the
socket is globally writable anyway (the kernel restricts some operations
when they are called).
https://www.kernel.org/doc/Documentation/networking/tuntap.txt


Am I missing any further unsafe operation of the helper? If there aren't
any specific known problems, then I suggest that the binary be given
setuid, or (if possible) CAP_NET_ADMIN. This would be consistent with
upstream and would alleviate this recurring bug.

It would also be helpful to provide a default /etc/qemu/bridge.conf; I
don't know what would be a good default, but even an empty file would be
a good starting point.

Thanks,
Corey

#765936#53
Date:
2022-06-14 05:45:02 UTC
From:
To:
Is it sufficient to use

   dpkg-statoverride --add root root 04755 /usr/lib/qemu/qemu-bridge-helper

to fix this on a particular system?

(see man dpkg-statoverride for more info).

BTW, this helper should be moved to /usr/libexec/qemu/ now..

Thanks,

/mjt

#765936#58
Date:
2022-06-14 17:05:19 UTC
From:
To:
1. This does persist across a reinstallation of qemu-system-common.
2. This does not apply immediately.

I suggest instead:

sudo dpkg-statoverride --update --add root root 04755 /usr/lib/qemu/qemu-bridge-helper

That will immediately change the mode of the existing file.


I also tested granting CAP_NET_ADMIN via:
sudo setcap cap_net_admin=ep /usr/lib/qemu/qemu-bridge-helper

This works as well, but I don't see any way to make it persist
across package reinstallation. Some research indicates this must
be done by post-install script.

https://superuser.com/questions/1606800/how-can-capabilities-be-set-for-a-file-across-upgrades-in-dpkg-like-for-permissi
https://serverfault.com/questions/784426/preserve-linux-capabilities-in-debian-package

Thanks,
Corey