Re: [kvm-devel] [RFC][PATCH 00/01]qemu VM entrypoints

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Windsor <dwindsor@gmail.com>
To: Avi Kivity <avi@qumranet.com>, Anthony Liguori <anthony@codemonkey.ws>
Cc: kvm-devel <kvm-devel@lists.sourceforge.net>,
	David Windsor <dwindsor@tresys.com>,
	Joshua Brindle <jbrindle@tresys.com>,
	selinux <selinux@tycho.nsa.gov>
Subject: Re: [kvm-devel] [RFC][PATCH 00/01]qemu VM entrypoints
Date: Sat, 21 Jul 2007 02:53:03 -0400	[thread overview]
Message-ID: <C2C7258F.36C9%dwindsor@gmail.com> (raw)
In-Reply-To: <46A1A5E9.7000807@qumranet.com>

On 7/21/07 2:21 AM, "Avi Kivity" <avi@qumranet.com> wrote:

> Anthony Liguori wrote:
>> James Morris wrote:
>>   
>>> On Fri, 20 Jul 2007, Daniel P. Berrange wrote:
>>> 
>>>   
>>>     
>>>> It could be - if your put the policy at the control API layer instead of
>>>> in QEMU itself.
>>>>     
>>>>       
>>> Then you can bypass MAC security by invoking qemu directly.
>>>   
>>>     
>> 
>> You can bypass MAC security by writing your own binary that uses the KVM
>> kernel interfaces.
>> 
>>   
> 
> I guess modifying qemu makes sense if the modification gives you *more*
> permissions.
> 
> i.e. you start out just with the ability to access the disk image, and
> then you transition to a new domain that allows you to access some network.
> 
> 
> Is that what is intended here?

The intent here is to provide some mechanism for a policy-driven transition
to occur when loading a virtual disk.  So, an administrator would write
policy for say, a topsecret_vm_t domain, in which the top secret VM can run.
All access requests from this VM would have a source type of topsecret_vm_t
on the host machine.  The virtual disk, labeled perhaps as topsecret_disk_t,
would need to be authorized in policy to be an entrypoint into the
topsecret_vm_t domain.  This patch proposes a mechanism that allows us to
provide policy driven controls both over which files can be used as a disk
image, and to which domain a qemu process will transition after loading the
disk image.  

Originally, I thought qemu was the proper place for this type of an
enforcement hook, but libvirt may be more appropriate because qemu could be
launched with a different security context if loading a virtual disk, rather
than having qemu set up the security context of the VM.  Thoughts?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

WARNING: multiple messages have this Message-ID (diff)

From: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org>,
	Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
Cc: kvm-devel
	<kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>,
	David Windsor <dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>,
	Joshua Brindle <jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>,
	selinux <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
Subject: Re: [RFC][PATCH 00/01]qemu VM entrypoints
Date: Sat, 21 Jul 2007 02:53:03 -0400	[thread overview]
Message-ID: <C2C7258F.36C9%dwindsor@gmail.com> (raw)
In-Reply-To: <46A1A5E9.7000807-atKUWr5tajBWk0Htik3J/w@public.gmane.org>

On 7/21/07 2:21 AM, "Avi Kivity" <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:

> Anthony Liguori wrote:
>> James Morris wrote:
>>   
>>> On Fri, 20 Jul 2007, Daniel P. Berrange wrote:
>>> 
>>>   
>>>     
>>>> It could be - if your put the policy at the control API layer instead of
>>>> in QEMU itself.
>>>>     
>>>>       
>>> Then you can bypass MAC security by invoking qemu directly.
>>>   
>>>     
>> 
>> You can bypass MAC security by writing your own binary that uses the KVM
>> kernel interfaces.
>> 
>>   
> 
> I guess modifying qemu makes sense if the modification gives you *more*
> permissions.
> 
> i.e. you start out just with the ability to access the disk image, and
> then you transition to a new domain that allows you to access some network.
> 
> 
> Is that what is intended here?

The intent here is to provide some mechanism for a policy-driven transition
to occur when loading a virtual disk.  So, an administrator would write
policy for say, a topsecret_vm_t domain, in which the top secret VM can run.
All access requests from this VM would have a source type of topsecret_vm_t
on the host machine.  The virtual disk, labeled perhaps as topsecret_disk_t,
would need to be authorized in policy to be an entrypoint into the
topsecret_vm_t domain.  This patch proposes a mechanism that allows us to
provide policy driven controls both over which files can be used as a disk
image, and to which domain a qemu process will transition after loading the
disk image.  

Originally, I thought qemu was the proper place for this type of an
enforcement hook, but libvirt may be more appropriate because qemu could be
launched with a different security context if loading a virtual disk, rather
than having qemu set up the security context of the VM.  Thoughts?

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

next prev parent reply	other threads:[~2007-07-21  6:53 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-20 19:32 [RFC][PATCH 00/01]qemu VM entrypoints David Windsor
2007-07-20 19:32 ` David Windsor
     [not found] ` <C2C68600.366D%dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
2007-07-20 20:03   ` Anthony Liguori
2007-07-20 21:55     ` [kvm-devel] " David Windsor
2007-07-20 21:55       ` [Qemu-devel] " David Windsor
2007-07-20 21:55       ` David Windsor
2007-07-20 22:19       ` [kvm-devel] " Anthony Liguori
2007-07-20 22:19         ` [Qemu-devel] " Anthony Liguori
2007-07-20 20:11   ` Daniel P. Berrange
2007-07-20 20:30     ` [kvm-devel] " James Morris
2007-07-20 20:30       ` James Morris
2007-07-20 20:38       ` Daniel P. Berrange
2007-07-20 20:46       ` Anthony Liguori
2007-07-20 22:42         ` [kvm-devel] " James Morris
2007-07-20 22:42           ` James Morris
2007-07-20 22:53           ` Anthony Liguori
2007-07-20 23:33             ` [kvm-devel] " James Morris
2007-07-20 23:33               ` James Morris
2007-07-21  2:48           ` [kvm-devel] " David Windsor
2007-07-21  2:48             ` David Windsor
2007-07-21  2:51             ` [Qemu-devel] " David Windsor
     [not found]         ` <46A11F1A.2080004-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-21  6:21           ` Avi Kivity
2007-07-21  6:53             ` David Windsor [this message]
2007-07-21  6:53               ` David Windsor
     [not found]               ` <C2C7258F.36C9%dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2007-07-21 15:54                 ` Anthony Liguori
2007-07-21 17:55                   ` [kvm-devel] " James Morris
2007-07-21 17:55                     ` James Morris
2007-07-21 19:01                     ` [kvm-devel] " Joshua Brindle
2007-07-21 19:01                       ` Joshua Brindle
     [not found]                       ` <6FE441CD9F0C0C479F2D88F959B01588DE1B1E-Lp/cVzEoVybUo1n7N8X6UhN0Am9MfdqnVpNB7YpNyf8@public.gmane.org>
2007-07-22 19:07                         ` Anthony Liguori
2007-07-22 20:22                           ` [kvm-devel] " David Windsor
2007-07-22 20:22                             ` David Windsor
2007-07-22 20:27                             ` [Qemu-devel] [kvm-devel] " David Windsor
2007-07-22 17:39                   ` David Windsor
2007-07-22 17:39                     ` David Windsor
2007-07-20 21:57       ` [kvm-devel] " David Windsor
2007-07-20 21:57         ` [Qemu-devel] " David Windsor
2007-07-20 21:57         ` David Windsor
     [not found]         ` <25a1d91b0707201457m6865a505maf93d22c5c28f0cc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2007-07-20 23:50           ` Daniel P. Berrange
2007-07-20 23:50             ` [Qemu-devel] Re: [kvm-devel] " Daniel P. Berrange
2007-07-21  1:41             ` James Morris
2007-07-21  1:41               ` [Qemu-devel] " James Morris
2007-07-21  1:41               ` James Morris
2007-07-20 20:35 ` [kvm-devel] " James Morris
2007-07-20 20:35   ` James Morris
2007-07-20 21:50 ` [Qemu-devel] " David Windsor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C2C7258F.36C9%dwindsor@gmail.com \
    --to=dwindsor@gmail.com \
    --cc=anthony@codemonkey.ws \
    --cc=avi@qumranet.com \
    --cc=dwindsor@tresys.com \
    --cc=jbrindle@tresys.com \
    --cc=kvm-devel@lists.sourceforge.net \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.