[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] virt-manager user support to run qemu-kvm process under system user for security



On Tue, Jan 18, 2011 at 03:43:38PM +0000, Wu Haa wrote:
> 
> Hi,
> 
> If/when will 'chroot'/'runas user' be made available in virt-manager and xml config structure.
> 
> QEMU-KVM Options
> 
> -chroot dir     Chroot to dir just before starting the VM.

SELinux/AppArmour will provide stronger protection than this
would, by ensuring VMs can only access files that have been
explicitly listed in the guest XML config. In the future we
may also use linux container functionality to confine VMs,
which  can offer a form of chroot that is much more secure
and flexible.

> -runas user     Change to user id user just before starting the VM.

When connected to 'qemu://session' all VMs are run unprivileged
as your own user ID. When connected to qemu://system VMs are
either run as root, or these days as a 'qemu' user. In the future
there will be a security driver that runs each VM under a dedicated
user ID.


Daniel


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]