From: Anthony Liguori <anthony@codemonkey.ws>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Sridhar Samudrala <sri@us.ibm.com>,
markmc@redhat.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com
Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Wed, 27 Jan 2010 08:14:25 -0600 [thread overview]
Message-ID: <4B604A41.1040103@codemonkey.ws> (raw)
In-Reply-To: <201001270752.07037.arnd@arndb.de>
On 01/27/2010 12:52 AM, Arnd Bergmann wrote:
> On Wednesday 27 January 2010, Anthony Liguori wrote:
>
>>> The raw backend can be attached to a physical device
>>>
>> This is equivalent to bridging with tun/tap except that it has the
>> unexpected behaviour of unreliable host/guest networking (which is not
>> universally consistent across platforms either). This is not a mode we
>> want to encourage users to use.
>>
> It's not the most common scenario, but I've seen systems (I remember
> one on s/390 with z/VM) where you really want to isolate the guest
> network as much as possible from the host network. Besides PCI
> passthrough, giving the host device to a guest using a raw socket
> is the next best approximation of that.
>
But if you care about isolation, it's the worst possible thing to do.
If a guest breaks into qemu, it's one bind() away from accessing any
other guests network.
Using a bridge with a single interface on it is much better from an
isolation perspective.
>> In general, what I would like to see for
>> this is something more user friendly that dealt specifically with this
>> use-case. Although honestly, given the recent security concerns around
>> raw sockets, I'm very concerned about supporting raw sockets in qemu at all.
>>
>> Essentially, you get worse security doing vhost-net + raw + VF then with
>> PCI passthrough + VF because at least in the later case you can run qemu
>> without privileges. CAP_NET_RAW is a very big privilege.
>>
> It can be contained to a large degree with network namespaces. When you
> run qemu in its own namespace and add the VF to that, CAP_NET_RAW
> should ideally have no effect on other parts of the system (except
> bugs in the namespace implementation).
>
That's a pretty big hammer to hit this problem with. QEMU should not
require CAP_NET_RAW and so far has been able to avoid it quite
successfully. So far, I haven't heard a compelling reason that to use
raw other than bridging can be complicated to setup.
If we had the equivalent of a raw socket that could be bound to a socket
and then "locked" such that it could be safely handed to a
non-privileged process, then it would be a different story.
Regards,
Anthony Liguori
WARNING: multiple messages have this Message-ID (diff)
From: Anthony Liguori <anthony@codemonkey.ws>
To: Arnd Bergmann <arnd@arndb.de>
Cc: markmc@redhat.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com,
Sridhar Samudrala <sri@us.ibm.com>
Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Wed, 27 Jan 2010 08:14:25 -0600 [thread overview]
Message-ID: <4B604A41.1040103@codemonkey.ws> (raw)
In-Reply-To: <201001270752.07037.arnd@arndb.de>
On 01/27/2010 12:52 AM, Arnd Bergmann wrote:
> On Wednesday 27 January 2010, Anthony Liguori wrote:
>
>>> The raw backend can be attached to a physical device
>>>
>> This is equivalent to bridging with tun/tap except that it has the
>> unexpected behaviour of unreliable host/guest networking (which is not
>> universally consistent across platforms either). This is not a mode we
>> want to encourage users to use.
>>
> It's not the most common scenario, but I've seen systems (I remember
> one on s/390 with z/VM) where you really want to isolate the guest
> network as much as possible from the host network. Besides PCI
> passthrough, giving the host device to a guest using a raw socket
> is the next best approximation of that.
>
But if you care about isolation, it's the worst possible thing to do.
If a guest breaks into qemu, it's one bind() away from accessing any
other guests network.
Using a bridge with a single interface on it is much better from an
isolation perspective.
>> In general, what I would like to see for
>> this is something more user friendly that dealt specifically with this
>> use-case. Although honestly, given the recent security concerns around
>> raw sockets, I'm very concerned about supporting raw sockets in qemu at all.
>>
>> Essentially, you get worse security doing vhost-net + raw + VF then with
>> PCI passthrough + VF because at least in the later case you can run qemu
>> without privileges. CAP_NET_RAW is a very big privilege.
>>
> It can be contained to a large degree with network namespaces. When you
> run qemu in its own namespace and add the VF to that, CAP_NET_RAW
> should ideally have no effect on other parts of the system (except
> bugs in the namespace implementation).
>
That's a pretty big hammer to hit this problem with. QEMU should not
require CAP_NET_RAW and so far has been able to avoid it quite
successfully. So far, I haven't heard a compelling reason that to use
raw other than bridging can be complicated to setup.
If we had the equivalent of a raw socket that could be bound to a socket
and then "locked" such that it could be safely handed to a
non-privileged process, then it would be a different story.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2010-01-27 14:14 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-26 20:40 [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Sridhar Samudrala
2010-01-26 20:47 ` Anthony Liguori
2010-01-26 20:50 ` Anthony Liguori
2010-01-26 23:19 ` Sridhar Samudrala
2010-01-27 9:24 ` Michael S. Tsirkin
2010-01-27 9:34 ` Arnd Bergmann
2010-01-27 9:44 ` Michael S. Tsirkin
2010-01-27 14:03 ` Anthony Liguori
2010-01-27 21:39 ` Arnd Bergmann
2010-01-27 22:56 ` Sridhar Samudrala
2010-01-28 6:06 ` Arnd Bergmann
2010-01-28 16:53 ` Jens Osterkamp
2010-01-28 11:22 ` Or Gerlitz
2010-01-29 20:52 ` Sridhar Samudrala
2010-01-29 20:52 ` [Qemu-devel] " Sridhar Samudrala
2010-01-27 14:07 ` Anthony Liguori
2010-01-27 16:59 ` Michael S. Tsirkin
2010-01-27 17:07 ` Anthony Liguori
2010-01-27 17:25 ` Michael S. Tsirkin
2010-01-27 17:36 ` Anthony Liguori
2010-01-27 17:54 ` Sridhar Samudrala
2010-01-27 18:02 ` Anthony Liguori
2010-01-27 18:03 ` Michael S. Tsirkin
2010-01-27 19:54 ` Anthony Liguori
2010-01-28 8:12 ` Arnd Bergmann
2010-01-28 13:56 ` Michael S. Tsirkin
2010-01-28 14:13 ` Anthony Liguori
2010-01-28 14:39 ` Anthony Liguori
2010-01-28 14:52 ` Michael S. Tsirkin
2010-01-28 15:05 ` Anthony Liguori
2010-01-28 16:37 ` Michael S. Tsirkin
2010-01-28 17:58 ` Anthony Liguori
2010-01-28 18:04 ` Michael S. Tsirkin
2010-01-28 19:57 ` Anthony Liguori
2010-01-29 11:26 ` Michael S. Tsirkin
2010-01-28 20:29 ` Arnd Bergmann
2010-02-01 15:47 ` Or Gerlitz
2010-01-27 18:12 ` Michael S. Tsirkin
2010-01-26 23:15 ` Sridhar Samudrala
2010-01-26 23:15 ` [Qemu-devel] " Sridhar Samudrala
2010-01-27 0:06 ` Anthony Liguori
2010-01-27 6:52 ` Arnd Bergmann
2010-01-27 6:52 ` Arnd Bergmann
2010-01-27 14:14 ` Anthony Liguori [this message]
2010-01-27 14:14 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B604A41.1040103@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=arnd@arndb.de \
--cc=avi@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=markmc@redhat.com \
--cc=mst@redhat.com \
--cc=ogerlitz@voltaire.com \
--cc=qemu-devel@nongnu.org \
--cc=sri@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.