[libvirt] Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

James Morris jmorris at namei.org
Tue Aug 12 09:57:19 UTC 2008 

On Tue, 12 Aug 2008, Russell Coker wrote:

> having different labels for processes and files so that if someone cracks the 
> UML kernel then they end up with just a regular user access on the Linux 
> host.  Which of course they could then try to crack with any of the usual 
> local-root exploits.
> 
> For separation based on Xen if someone cracks the hypervisor then you lose 
> everything.
> 
> For KVM (which seems to be the future of Linux virtualisation) I don't know 
> enough to comment.

KVM uses a modified version of Qemu where guests run as Linux processes.

There are some useful documents here:
http://kvm.qumranet.com/kvmwiki/Documents

(The OLS paper especially).


> So by "Linux-based" you mean in contrast to Xen which has the Xen kernel (not 
> Linux) running on the hardware?

Yes.

> > I don't understand what needs to be backed here.  Currently, MAC is not
> > used to separate different Linux-based VMs, and by integrating MAC
> > support, people will be able to further utilize MAC.
> 
> One thing that should be noted is the labelled network benefits.  If you had 
> several groups of virtual servers running at different levels and wanted to 
> prevent information leaks then having SE Linux contexts and labelled 
> networking could make things a little easier.
> 
> I have had some real challenges in managing firewall rules for Xen servers.  
> My general practice is to try and make sure that there is no real need for 
> firewalls between hosts on the same hardware (not that I want it this way - 
> it's what technical and management issues force me to).
> 
> So for example if I have an ISP Xen server running virtual machines for a 
> number of organisations I make sure that they are either all within a similar 
> trust boundary (IE affiliated groups) or all mutually untrusting (IE other IP 
> addresses in the same net-block are treated the same as random hosts on the 
> net).

Thanks for the insights -- we expect to address the virtual networking 
aspect in some way.

> The issue is whether the hypervisor you care about can be broken out of in 
> that way.  It seems that if someone can break out of Xen then you just lose.  
> For KVM I don't know the situation, do you have a good reference for how it 
> works?
> 
> http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
> 
> The above web page says that KVM is all based in the kernel, in which case why 
> would it be any more resilient than Xen?

KVM uses a kernel module to utilize the virt hardware (which Qemu 
interfaces with via /dev/kvm), but the guest runs in a userspace process.

I'm not comparing which is more resilient.


- James
-- 
James Morris
<jmorris at namei.org>

More information about the libvir-list mailing list