Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• Xen/QemuDepriv

QEMU deprivileging

By default, QEMU runs in dom0 as root. But there is a way to run QEMU as user, with a few caveats.
Why though ? Security.

Official docs :

• https://xenbits.xen.org/docs/unstable/features/qemu-deprivilege.html

• https://xenbits.xen.org/docs/unstable/designs/qemu-deprivilege.html

Works:

• Disks
• Network
• VNC
• Audio

Does not work:

• PCI passthrough
• 9pfs
• CD-rom changing, not out of the box, needs special QEMU incantations
• hotplugging virtual devices ?

Some explanations :

QEMU deprivileging works roughly by starting as root, opening privcmd, grants, evtchn and all files on the command line.
Then it chroots into an empty directory, changes user and drops permissions.

So a raw/qcow disk image from the command line is already open. But if you want to change the cdrom iso, you need libxl to open it and pass the fd in via add-fd QMP.

9pfs isn't started at qemu startup. It is detected via xenstore after qemu has depriv-ed itself at runtime. Which is too late to open evtchn (9pfs uses a dedicated evtchn even though there are other ones already open). But qemu is also no longer running as root, and it is down in the chroot, so it would not have access to any files. 9pfs also isn't setup to do fd passing - it expects to get file paths and open them itself.
9pfs did start out as a network file system. It is just a stream of data though and can run over different transports like TCP, xen grant table rings, or virtio.

Quick setup

As you read the Xen docs, you know there are various ways to do it, here's one. Basically, it consists in creating regular users with names that Xen will recognize, then set a domain config option.

1. Create base user range

Command with example output :

# adduser --system --uid 131072 --group --no-create-home xen-qemuuser-range-base
Adding system user `xen-qemuuser-range-base' (UID 131072) ...
Adding new group `xen-qemuuser-range-base' (GID 131072) ...
Adding new user `xen-qemuuser-range-base' (UID 131072) with group `xen-qemuuser-range-base' ...
useradd warning: xen-qemuuser-range-base's uid 131072 is greater than SYS_UID_MAX 999
Not creating `/nonexistent'.

You can choose whatever UID suits you, but the user name "xen-qemuuser-range-base" is mandatory. You can ignore the warning about SYS_UID_MAX.

2. Add to domain config file

# QEMU deprivilege
dm_restrict = 1

3. Test

Start your domain and check the user id running qemu, it should not be root. The command line should have additional params too (like -runas UID:GID).

$ ps fu -C xen-qemu-system-i386
$ ps aux | grep xen-qemu

The user id is "range_base + domain_id", so with the recommended base and a domain id of 70, you get 131072 + 70 = 131142.

CategoryXen CategoryVirtualization