From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: "Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v2 0/2] Add dbus-vmstate
Date: Fri, 23 Aug 2019 15:09:48 +0100 [thread overview]
Message-ID: <20190823140948.GI2784@work-vm> (raw)
In-Reply-To: <CAJ+F1CKTsQC1fULFG-hbUZ=Ao654K-TE6Fm9c1V+eRdAjk9QRA@mail.gmail.com>
* Marc-André Lureau (marcandre.lureau@gmail.com) wrote:
> Hi
>
> On Fri, Aug 23, 2019 at 5:00 PM Dr. David Alan Gilbert
> <dgilbert@redhat.com> wrote:
> >
> > * Daniel P. Berrangé (berrange@redhat.com) wrote:
> >
> > <snip>
> >
> > > This means QEMU still has to iterate over every single client
> > > on the bus to identify them. If you're doing that, there's
> > > no point in owning a well known service at all. Just iterate
> > > over the unique bus names and look for the exported object
> > > path /org/qemu/VMState
> > >
> >
> > Not knowing anything about DBus security, I want to ask how do
> > we handle security here?
>
> First of all, we are talking about cooperative processes, and having a
> specific bus for each qemu instance. So some amount of security/trust
> is already assumed.
Some but we need to keep it as limited as possible; for example two
reasons for having separate processes both come down to security:
a) vtpm - however screwy the qemu is, you can never get to the keys in
the vtpm
b) virtio-gpu, loads of complex GPU code that can't break the main
qemu process.
> But if necessary, dbus can enforce policies on who is allowed to own a
> name, or to send/receive message from. As far as I know, this is
> mostly user/group policies.
>
> But there is also SELinux checks to send_msg and acquire_svc (see
> dbus-daemon(1))
But how does something like SELinux interact with a private dbus
rather than the system dbus?
> >
> > I want to know that the external device that's giving me migration data
> > is the device I think I'm speaking to, not one of the other devices;
>
> DBus is not the problem nor the solution here.
Well, if the migration data was squirting down the existing vhost-user
channel then there would be no risk here; so the use of dbus is creating
the problem.
> But what defines that device-service strong relationship? Can you
> generalize it? I don't think so.
>
> What DBus can guarantee is that the unique-id you are talking to is
> always the same connection (thus the same process).
>
> > I also dont want different devices chatting to each other over dbus
> > unless we're very careful.
>
> That's a bus policy job.
OK, as long as you somehow set it up.
Dave
> >
> > Dave
> >
> > > Regards,
> > > Daniel
> > > --
> > > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> > > |: https://libvirt.org -o- https://fstop138.berrange.com :|
> > > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
> > --
> > Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
> >
>
>
> --
> Marc-André Lureau
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2019-08-23 14:11 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 15:03 [Qemu-devel] [PATCH v2 0/2] Add dbus-vmstate Marc-André Lureau
2019-08-08 15:03 ` [Qemu-devel] [PATCH v2 1/2] qemu-file: move qemu_{get, put}_counted_string() declarations Marc-André Lureau
2019-08-09 18:32 ` Dr. David Alan Gilbert
2019-08-08 15:03 ` [Qemu-devel] [PATCH v2 2/2] Add dbus-vmstate object Marc-André Lureau
2019-08-08 15:07 ` Marc-André Lureau
2019-08-22 10:55 ` Dr. David Alan Gilbert
2019-08-22 11:35 ` Marc-André Lureau
2019-08-22 11:41 ` Dr. David Alan Gilbert
2019-08-22 11:57 ` Marc-André Lureau
2019-08-22 12:19 ` Dr. David Alan Gilbert
2019-08-22 12:38 ` Marc-André Lureau
2019-08-22 12:51 ` Dr. David Alan Gilbert
2019-08-23 11:20 ` [Qemu-devel] [PATCH v2 0/2] Add dbus-vmstate Daniel P. Berrangé
2019-08-23 11:31 ` Marc-André Lureau
2019-08-23 11:41 ` Daniel P. Berrangé
2019-08-23 11:47 ` Marc-André Lureau
2019-08-23 13:00 ` Dr. David Alan Gilbert
2019-08-23 13:48 ` Marc-André Lureau
2019-08-23 14:09 ` Daniel P. Berrangé
2019-08-23 14:09 ` Dr. David Alan Gilbert [this message]
2019-08-23 14:20 ` Daniel P. Berrangé
2019-08-23 14:26 ` Dr. David Alan Gilbert
2019-08-23 14:40 ` Daniel P. Berrangé
2019-08-23 14:56 ` Dr. David Alan Gilbert
2019-08-23 15:05 ` Daniel P. Berrangé
2019-08-23 15:14 ` Dr. David Alan Gilbert
2019-08-23 15:21 ` Daniel P. Berrangé
2019-08-23 15:24 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190823140948.GI2784@work-vm \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.