[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v8 0/7] file descriptor passing using fd sets



Am 10.08.2012 04:10, schrieb Corey Bryant:
> libvirt's sVirt security driver provides SELinux MAC isolation for
> Qemu guest processes and their corresponding image files.  In other
> words, sVirt uses SELinux to prevent a QEMU process from opening
> files that do not belong to it.
> 
> sVirt provides this support by labeling guests and resources with
> security labels that are stored in file system extended attributes.
> Some file systems, such as NFS, do not support the extended
> attribute security namespace, and therefore cannot support sVirt
> isolation.
> 
> A solution to this problem is to provide fd passing support, where
> libvirt opens files and passes file descriptors to QEMU.  This,
> along with SELinux policy to prevent QEMU from opening files, can
> provide image file isolation for NFS files stored on the same NFS
> mount.
> 
> This patch series adds the add-fd, remove-fd, and query-fdsets
> QMP monitor commands, which allow file descriptors to be passed
> via SCM_RIGHTS, and assigned to specified fd sets.  This allows
> fd sets to be created per file with fds having, for example,
> different access rights.  When QEMU needs to reopen a file with
> different access rights, it can search for a matching fd in the
> fd set.  Fd sets also allow for easy tracking of fds per file,
> helping to prevent fd leaks.
> 
> Support is also added to the block layer to allow QEMU to dup an
> fd from an fdset when the filename is of the /dev/fdset/nnn format,
> where nnn is the fd set ID.
> 
> No new SELinux policy is required to prevent open of NFS files
> (files with type nfs_t).  The virt_use_nfs boolean type simply
> needs to be set to false, and open will be prevented (and dup will
> be allowed).  For example:
> 
>     # setsebool virt_use_nfs 0
>     # getsebool virt_use_nfs
>     virt_use_nfs --> off
> 
> Corey Bryant (7):
>   qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg
>   qapi: Introduce add-fd, remove-fd, query-fdsets
>   monitor: Clean up fd sets on monitor disconnect
>   block: Prevent detection of /dev/fdset/ as floppy
>   block: Convert open calls to qemu_open
>   block: Convert close calls to qemu_close
>   block: Enable qemu_open/close to work with fd sets
> 
>  block/raw-posix.c |   46 +++++----
>  block/raw-win32.c |    6 +-
>  block/vdi.c       |    5 +-
>  block/vmdk.c      |   25 ++---
>  block/vpc.c       |    4 +-
>  block/vvfat.c     |   16 +--
>  cutils.c          |    5 +
>  monitor.c         |  294 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  monitor.h         |    5 +
>  osdep.c           |  117 +++++++++++++++++++++
>  qapi-schema.json  |   98 ++++++++++++++++++
>  qemu-char.c       |   12 ++-
>  qemu-common.h     |    2 +
>  qemu-tool.c       |   20 ++++
>  qmp-commands.hx   |  117 +++++++++++++++++++++
>  savevm.c          |    4 +-
>  16 files changed, 721 insertions(+), 55 deletions(-)

Apart from the few comments I made, I like this series. Maybe v9 will be
the last one. :-)

Kevin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]