[libvirt] [PATCH v4 0/5] Per-guest configurable user/group for QEMU processes
Marcelo Cerri
mhcerri at linux.vnet.ibm.com
Thu Sep 13 20:36:25 UTC 2012
Hi,
Any comments about that?
Regards,
Marcelo
On Tue, Sep 11, 2012 at 02:13:38PM -0400, Corey Bryant wrote:
> Are there any other requirements that need to be taken care of to
> enable execution of QEMU guests under separate unprivileged user IDs
> (ie. DAC isolation)?
>
> At this point, this patch series (Per-guest configurable user/group
> for QEMU processes) is upstream, allowing libvirt to execute guests
> under separate unprivileged user IDs. Additionally, the QEMU bridge
> helper series is upstream, allowing QEMU to allocate a tap device
> and attach it to a bridge when run under an unprivileged user ID (http://www.redhat.com/archives/libvir-list/2012-August/msg00277.html).
>
> Is there any other feature in QEMU that requires QEMU to be run as root?
>
> --
> Regards,
> Corey
>
> On 08/15/2012 06:10 PM, Marcelo Cerri wrote:
> >This is a v4 patch series that updates the libvirt's security driver mechanism to support per-guest configurable user and group for QEMU processes running together with other security drivers, such as SELinux and AppArmor.
> >
> >Marcelo Cerri (5):
> > Internal refactory of data structures
> > Multiple security drivers in XML data
> > Update security layer to handle many security labels
> > Support for multiple default security drivers in QEMU config
> > Update the remote API
> >
> > daemon/remote.c | 63 ++++
> > docs/formatdomain.html.in | 11 +-
> > docs/schemas/capability.rng | 18 +-
> > docs/schemas/domaincommon.rng | 30 ++-
> > include/libvirt/libvirt.h.in | 2 +
> > python/generator.py | 1 +
> > src/conf/capabilities.c | 17 +-
> > src/conf/capabilities.h | 6 +-
> > src/conf/domain_audit.c | 14 +-
> > src/conf/domain_conf.c | 343 +++++++++++++++-----
> > src/conf/domain_conf.h | 20 +-
> > src/driver.h | 4 +
> > src/libvirt.c | 47 +++
> > src/libvirt_private.syms | 5 +
> > src/libvirt_public.syms | 1 +
> > src/lxc/lxc_conf.c | 8 +-
> > src/lxc/lxc_controller.c | 8 +-
> > src/lxc/lxc_driver.c | 11 +-
> > src/lxc/lxc_process.c | 23 +-
> > src/qemu/qemu.conf | 6 +-
> > src/qemu/qemu_conf.c | 38 ++-
> > src/qemu/qemu_conf.h | 2 +-
> > src/qemu/qemu_driver.c | 218 +++++++++++---
> > src/qemu/qemu_process.c | 50 ++-
> > src/remote/remote_driver.c | 46 +++
> > src/remote/remote_protocol.x | 17 +-
> > src/remote_protocol-structs | 11 +
> > src/security/security_apparmor.c | 118 +++++--
> > src/security/security_dac.c | 324 +++++++++++++++++--
> > src/security/security_manager.c | 101 +++++--
> > src/security/security_manager.h | 8 +-
> > src/security/security_selinux.c | 263 +++++++++++-----
> > src/security/security_stack.c | 237 +++++++++-----
> > src/security/security_stack.h | 13 +
> > src/test/test_driver.c | 11 +-
> > .../qemuxml2argv-seclabel-dynamic-override.xml | 4 +-
> > .../qemuxml2argv-seclabel-dynamic.xml | 2 +-
> > 37 files changed, 1653 insertions(+), 448 deletions(-)
> >
> >--
> >libvir-list mailing list
> >libvir-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/libvir-list
> >
More information about the libvir-list
mailing list