[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 0/5] qemu: invoke qemu-bridge-helper from libvirtd



Il 28/03/2013 20:30, Laine Stump ha scritto:
> > The <interface type='bridge'> is working mostly because of a bad design
> > decision in Linux.  Ideally, QEMU would run with an empty capability
> > bounding set and would not be able to do any privileged operation
> > (not even by running a helper program).  This is not the case because
> > dropping capabilities from the bounding set requires a capability of its
> > own, CAP_SETPCAP; thus QEMU does *not* run with an empty bounding set if
> > invoked via qemu:///session.
> 
> Ewww. So what you're saying is that the qemu that's run from
> qemu:///system is more locked down (and thus "more secure") than the
> qemu that's run from qemu:///session? Basically this qemu can run any
> setuid application it likes, and there's nothing that we can do about it.

Yes.  However, seccompv2 can still prevent execve to be executed by qemu.

Paolo


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]