[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Qemu-devel] Re: Libvirt debug API



On Sun, Apr 25, 2010 at 08:53:17PM -0500, Anthony Liguori wrote:
> On 04/25/2010 06:51 AM, Avi Kivity wrote:
> >  Qemu is special due to the nonexistence of qemud.
> >
> >Why is sVirt implemented in libvirt?  it's not the logical place for 
> >it; rather the logical place doesn't exist.
> 
> sVirt is not just implemented in libvirt.  libvirt implements a 
> mechanism to set the context of a given domain and dynamically label 
> it's resources to isolate it.
> 
> The reason it has to assign a context to a given domain is that all 
> domains are launched from the same security context (the libvirtd 
> context) as the original user's context (the consumer of the libvirt 
> API) has been lost via the domain socket interface.
> 
> If you used the /session URL, then the domain would have the security 
> context of whomever created the guest which means that dynamic labelling 
> of the resources wouldn't be necessary (you would just do static labelling).

That is not correct. You do *not* ever want the guests to have the same 
security context as the thing that created them, because that would allow
the guest to access & compromise resources belonging to the management app.
Every guest must always have a unique context. The libvirt+sVirt dynamic 
labelling with unique contexts is applied even for the /session mode.
The thing you save with the /session mode, is not having todo the user/group
ownership management; sVirt labelling is always required.

> This is certainly a more secure model and it's a feature of qemu that I 
> really wish didn't get lost in libvirt.  Again, /session can do this too 
> but right now, /session really isn't usable in libvirt for qemu.

If you really want the qemu instance to inherit the context of the mgmt
app, then you can just declare in the guest XML that it should use a
static label, and pass in the apps' own label. This is *not* a more secure
model though.


Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]