nixos/libvirtd: add option to run qemu as non-root

New option virtualisation.libvirtd.qemuRunAsRoot (default: true). If false, qemu is run as non-privileged user qemu-libvirtd, reducing security risk
NixOS · Aug 10, 2018 · 980505d · 980505d
1 parent 9c33863
commit 980505d
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
@@ -325,6 +325,7 @@
       hydron = 298;
       cfssl = 299;
       cassandra = 300;
+      qemu-libvirtd = 301;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -610,6 +611,7 @@
       hydron = 298;
       cfssl = 299;
       cassandra = 300;
+      qemu-libvirtd = 301;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix
@@ -17,6 +17,10 @@ let
     ${optionalString cfg.qemuOvmf ''
       nvram = ["/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd"]
     ''}
+    ${optionalString (!cfg.qemuRunAsRoot) ''
+      user = "qemu-libvirtd"
+      group = "qemu-libvirtd"
+    ''}
     ${cfg.qemuVerbatimConfig}
   '';
 
@@ -56,6 +60,18 @@ in {
       '';
     };
 
+    virtualisation.libvirtd.qemuRunAsRoot = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        If true,  libvirtd runs qemu as root.
+        If false, libvirtd runs qemu as unprivileged user qemu-libvirtd.
+        Changing this option to false may cause file permission issues
+        for existing guests. To fix these, manually change ownership
+        of affected files in /var/lib/libvirt/qemu to qemu-libvirtd.
+      '';
+    };
+
     virtualisation.libvirtd.qemuVerbatimConfig = mkOption {
       type = types.lines;
       default = ''
@@ -110,6 +126,14 @@ in {
 
     users.groups.libvirtd.gid = config.ids.gids.libvirtd;
 
+    # libvirtd runs qemu as this user and group by default
+    users.extraGroups.qemu-libvirtd.gid = config.ids.gids.qemu-libvirtd;
+    users.extraUsers.qemu-libvirtd = {
+      uid = config.ids.uids.qemu-libvirtd;
+      isNormalUser = false;
+      group = "qemu-libvirtd";
+    };
+
     systemd.packages = [ pkgs.libvirt ];
 
     systemd.services.libvirtd = {