[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Qemu-devel] [PATCH v4] Add support for fd: protocol





On 08/22/2011 01:25 PM, Anthony Liguori wrote:
On 08/22/2011 11:50 AM, Daniel P. Berrange wrote:
On Mon, Aug 22, 2011 at 11:29:12AM -0500, Anthony Liguori wrote:
I don't think it makes sense to have qemu-fe do dynamic labelling.
You certainly could avoid the fd passing by having qemu-fe do the
open though and just let qemu-fe run without the restricted security
context.

qemu-fe would also not be entirely simple,

Indeed.


I do like the idea of a privileged qemu-fe performing the open and passing the fd to a restricted qemu. However, I get the impression that this won't get delivered nearly as quickly as fd: passing could be. How soon do we need image isolation for NFS?

Btw, this sounds similar to what Blue Swirl recommended here on v1 of this patch: http://lists.gnu.org/archive/html/qemu-devel/2011-05/msg02187.html

Regards,
Corey

because it will need to act
as a proxy for the monitor, in order to make hotplug work. ie the mgmt
app would be sending 'drive_add file:/foo/bar' to qemu-fe, which would
then have to open the file and send 'drive_add fd:NN' onto the real QEMU,
and then pass the results on back.

In addition qemu-fe would still have to be under some kind of restricted
security context for it to be acceptable. This is going to want to be as
locked down as possible.

I think there's got to be some give and take here.

It should at least be as locked down as libvirtd. From a security point
of view, we should be able to agree that we want libvirtd to be as
locked down as possible.

But there shouldn't be a hard requirement to lock down qemu-fe more than
libvirtd. Instead, the requirement should be for qemu-fe to be as/more
vigilant in not trusting qemu-system-x86_64 as libvirtd is.

The fundamental problem here, is that there is some logic in libvirtd
that rightly belongs in QEMU. In order to preserve the security model,
that means that we're going to have to take a subsection of QEMU and
trust it more.

So I'd see that you'd likely end up with the
qemu-fe security policy being identical to the qemu security policy,

Then there's no point in doing qemu-fe. qemu-fe should be thought of as
QEMU supplied libvirtd plugin.

with the exception that it would be allowed to open files on NFS without
needing them to be labelled. So I don't really see that all this gives us
any tangible benefits over just allowing the mgmt app to pass in the FDs
directly.

But libvirt would still need to parse image files.

Not neccessarily. As mentioned below, it is entirely possible to
enable the mgmt app to pass in details of the backing files, at
which point no image parsing is required by libvirt. Hence my
assertion that the question of who does image parsing is irrelevant
to this discussion.

That's certainly true.

Regards,

Anthony Liguori


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]