From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Fri, 29 Jan 2010 13:26:00 +0200
Message-ID: <20100129112600.GB6548@redhat.com>
References: <4B6099E0.40101@codemonkey.ws> <201001280912.04809.arnd@arndb.de> <20100128135644.GE3776@redhat.com> <4B619BA1.9010404@codemonkey.ws> <20100128145226.GA10497@redhat.com> <4B61A7C9.7040808@codemonkey.ws> <20100128163720.GB3288@redhat.com> <4B61D058.20606@codemonkey.ws> <20100128180426.GB3541@redhat.com> <4B61EC2D.10909@codemonkey.ws>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Arnd Bergmann <arnd@arndb.de>, Sridhar Samudrala <sri@us.ibm.com>,
	avi@redhat.com, markmc@redhat.com, ogerlitz@voltaire.com,
	kvm@vger.kernel.org, qemu-devel@vger.kernel.org,
	Chris Wright <chrisw@redhat.com>,
	"Daniel P. Berrange" <berrange@redhat.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:43458 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756609Ab0A2L3R (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 29 Jan 2010 06:29:17 -0500
Content-Disposition: inline
In-Reply-To: <4B61EC2D.10909@codemonkey.ws>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Thu, Jan 28, 2010 at 01:57:33PM -0600, Anthony Liguori wrote:
> On 01/28/2010 12:04 PM, Michael S. Tsirkin wrote:
>> On Thu, Jan 28, 2010 at 11:58:48AM -0600, Anthony Liguori wrote:
>>    
>>> On 01/28/2010 10:37 AM, Michael S. Tsirkin wrote:
>>>      
>>>> So actually, this is an interesting argument in favor of
>>>> turning disablenetwork from per-process as it is now
>>>> to per-file.
>>>>
>>>>        
>>> Yup.  I think we really need a file-based restriction mechanism and so
>>> far, neither disablenetwork or network namespace seems to do that.
>>>
>>> I think you might be able to mitigate this with SELinux since I'm fairly
>>> certain it can prevent SCM_RIGHTS but SELinux is not something that can
>>> be enforced within a set of applications so we'd be relying on SELinux
>>> being enabled (honestly, unlikely) and the policy being correctly
>>> configured (unlikely in the general case at least).
>>>
>>> Regards,
>>>
>>> Anthony Liguori
>>>      
>> I am not convinced SELinux being disabled is a problem we necessarily
>> need to deal with, and qemu does not verify e.g. that it is not run as
>> root either. A more serious problem IMO is that SCM_RIGHTS might be
>> needed for some other functionality.
>>    
>
> It would mean that libvirt is insecure unless SELinux is enabled.   
> That's a pretty fundamental flaw IMHO.
>
> At any rate, I think we both agree that we need to figure out a  
> solution, so that's good :-)
>
> Regards,
>
> Anthony Liguori

Yes, but I am still not sure the problem is real. Pls discuss on netdev.

-- 
MST