From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: Re: [PATCH v10] run QEMU as non-root Date: Mon, 16 Nov 2015 12:07:08 +0000 Message-ID: <1447675628.27871.43.camel@citrix.com> References: <1446727646-6802-1-git-send-email-stefano.stabellini@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1446727646-6802-1-git-send-email-stefano.stabellini@eu.citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini Cc: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org On Thu, 2015-11-05 at 12:47 +0000, Stefano Stabellini wrote: > Try to use "xen-qemuuser-domid$domid" first, then > "xen-qemuuser-shared" and root if everything else fails. > > The uids need to be manually created by the user or, more likely, by the > xen package maintainer. > > Expose a device_model_user setting in libxl_domain_build_info, so that > opinionated callers, such as libvirt, can set any user they like. Do not > fall back to root if device_model_user is set. Users can also set > device_model_user by hand in the xl domain config file. > > QEMU is going to setuid and setgid to the user ID and the group ID of > the specified user, soon after initialization, before starting to deal > with any guest IO. > > To actually secure QEMU when running in Dom0, we need at least to > deprivilege the privcmd and xenstore interfaces, this is just the first > step in that direction. > > Signed-off-by: Stefano Stabellini acked + applied.