Re: [Qemu-devel] [libvirt] [PATCH v4] Add support for fd: protocol

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: kwolf@redhat.com, aliguori@us.ibm.com, libvir-list@redhat.com,
	Corey Bryant <coreyb@linux.vnet.ibm.com>,
	qemu-devel@nongnu.org, Christoph Hellwig <hch@lst.de>
Subject: Re: [Qemu-devel] [libvirt] [PATCH v4] Add support for fd: protocol
Date: Mon, 22 Aug 2011 11:29:12 -0500	[thread overview]
Message-ID: <4E5283D8.9000309@codemonkey.ws> (raw)
In-Reply-To: <20110822162444.GI9456@redhat.com>

On 08/22/2011 11:24 AM, Daniel P. Berrange wrote:
> On Mon, Aug 22, 2011 at 05:38:20PM +0200, Christoph Hellwig wrote:
>> I'm still totally against this.  FD passing is a nice feature for sandboxing,
>> but the passing should be between closely cooperating programs.  We'll
>> need a tool shipped from the qemu source tree to open and set up the
>> FDs, and not someone external.  With that setup in place we can use
>> a protocol similar to the various OpenBSD privilegue separated deaemons
>> to also allow reopening / snapshots / etc.
>>
>> Opening fds in libvirt and passing them into qemu is exactly the wrong way,
>> and just cements the current horrors where libvirt duplicates parsing
>> of image format headers.
>
> The primary goal of this work is to allow QEMU to use a file, without
> giving it permission to open the file. This lets us cope with the current
> limitations of NFS wrt SELinux labelling. Where ordinarily we'd relabel
> the disk file to allow QEMU to open them, on NFS we can't do that. So we
> setup a SELinux policy that allows QEMU to read any NFS files that it is
> passed, but not actually open them. This allows secure use of QEMU with
> NFS, without having to solve the NFS + SELinux labelling problems, which
> is still a long term ongoing effort by NFS vendors.

I think you miss the point Christoph is making.

Christoph is suggesting that we have two qemu executables, qemu-fe and 
qemu-system-x86_64.  qemu-fe would be smaller and would carry more 
rights than qemu-system-x86_64.

But I don't think this fixes the problem.  Something needs to do dynamic 
labelling of the backing files to implement a Chinese Wall MAC policy. 
In order to do that, something needs to parse the image formats.

I don't think it makes sense to have qemu-fe do dynamic labelling.  You 
certainly could avoid the fd passing by having qemu-fe do the open 
though and just let qemu-fe run without the restricted security context.

But libvirt would still need to parse image files.

Regards,

Anthony Liguori

>
> Whether or not libvirt parses image format headers, is a completely
> unrelated. Consider if libvirt did not parse image formats and instead
> required the mgmt app to pass in details of all backing files. We still
> have the problem of how to securely grant just one QEMU instance access
> to the files. This still needs the FD passing support being proposed
> here to cope with NFS.
>
> So the question of whether or not libvirt should be parsing image format
> headers is completely irrelevant to acceptability of this FD passing
> support.
>
> Regards,
> Daniel

next prev parent reply	other threads:[~2011-08-22 16:29 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-22 14:50 [Qemu-devel] [PATCH v4] Add support for fd: protocol Corey Bryant
2011-08-22 15:38 ` Christoph Hellwig
2011-08-22 16:06   ` Corey Bryant
2011-08-22 16:24   ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2011-08-22 16:29     ` Anthony Liguori [this message]
2011-08-22 16:50       ` Daniel P. Berrange
2011-08-22 17:25         ` Anthony Liguori
2011-08-22 17:42           ` Corey Bryant
2011-08-22 18:39             ` Blue Swirl
2011-08-23 15:13               ` Corey Bryant
2011-08-23 15:26                 ` Daniel P. Berrange
2011-08-23 15:50                   ` Kevin Wolf
2011-08-23 15:51                     ` Daniel P. Berrange
2011-08-23 16:04                       ` Daniel P. Berrange
2011-08-23 16:14                     ` Corey Bryant
2011-08-22 18:22           ` Daniel P. Berrange
2011-08-22 18:54             ` Blue Swirl
2011-08-22 19:25             ` Anthony Liguori
2011-08-23 14:26               ` Corey Bryant
2011-08-23 14:33                 ` Anthony Liguori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E5283D8.9000309@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=aliguori@us.ibm.com \
    --cc=berrange@redhat.com \
    --cc=coreyb@linux.vnet.ibm.com \
    --cc=hch@lst.de \
    --cc=kwolf@redhat.com \
    --cc=libvir-list@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.