[libvirt] creating stream
Daniel P. Berrange
berrange at redhat.com
Thu Apr 6 12:15:51 UTC 2017
On Thu, Apr 06, 2017 at 03:09:12PM +0300, Vasiliy Tolstov wrote:
> 2017-04-06 15:06 GMT+03:00 Vasiliy Tolstov <v.tolstov at selfip.ru>:
> >> We already have a fine grained access control system that can be used to
> >> restrict feature access...
>
>
> Also i don't think that libvirt access control have ability to deny
> access based on function and payload. For example i need to deny for
> some users ability to create domain with memory more then 10G or
> network with type nat.
Trying todo that kind of config access control at the libvirt API level is
doomed to failure. The ability to pass in an XML document describing a
guest gives you privileges equivalent to root. There are so many ways you
can use the XML document give a guest access to host resources, that trying
to do access restrictions based on XML content is impractical. You are
inevitably going to miss the existance of certain XML features and thus think
you have a locked down system where in fact you've left plenty of backdoors to
exploit it. Every time QEMU or libvirt are upgraded new features are introduced
so again what you thought was secure may now suddenly be insecure. This is why
we explicitly don't expose this info to the access control framework. You need
to have a much higher level representation of the guest configuration data &
related resources in order to do practical access control on usage of
individual guest config features.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the libvir-list
mailing list