From: Anthony Liguori <anthony@codemonkey.ws>
To: Joanna Rutkowska <joanna@invisiblethingslab.com>
Cc: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org
Subject: Re: A few KVM security questions
Date: Mon, 07 Dec 2009 10:47:30 -0600 [thread overview]
Message-ID: <4B1D31A2.5010302@codemonkey.ws> (raw)
In-Reply-To: <4B1D094B.5000700@invisiblethingslab.com>
Joanna Rutkowska wrote:
> Avi Kivity wrote:
>
>> On 12/07/2009 03:05 PM, Joanna Rutkowska wrote:
>>
>>> In particular, is
>>> it possible to move the qemu from the host to one of the VMs? Perhaps to
>>> have a separate copy of qemu for each VM? (ala Xen's stub-domains)
>>>
>>>
>> It should be fairly easy to place qemu in a guest. You would leave a
>> simple program on the host to communicate with kvm and pass any data
>> written by the guest to qemu running in another guest, and feed any
>> replies back to the guest.
>>
>>
>
> But then you would need to have another qemu (on the host) to support
> running this "qemu-VM", where we want to put the qemu, right?
>
It really offers no advantage. The security assumption should be that a
guest can break into qemu. If a guest can break out of qemu, putting it
in another qemu means that we still need to assume it can break out of
that qemu. The host should treat the qemu process as hostile and
constrain it by using things like -runas, -chroot, SELinux, and
containers. This is what most production systems do today. libvirt
certainly takes this approach.
That's not to say that we know for sure that a guest can break into
qemu, but designing around that assumption gives us MLS.
Regards,
Anthony Liguori
> joanna.
>
>
prev parent reply other threads:[~2009-12-07 16:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-07 13:05 A few KVM security questions Joanna Rutkowska
2009-12-07 13:17 ` Avi Kivity
2009-12-07 13:30 ` Joanna Rutkowska
2009-12-07 13:38 ` Avi Kivity
2009-12-07 14:06 ` Joanna Rutkowska
2009-12-07 14:09 ` Avi Kivity
2009-12-07 16:44 ` Anthony Liguori
2009-12-07 17:09 ` Joanna Rutkowska
2009-12-07 17:13 ` Avi Kivity
2009-12-07 17:15 ` Joanna Rutkowska
2009-12-07 17:18 ` Avi Kivity
2009-12-07 17:33 ` Joanna Rutkowska
2009-12-07 18:34 ` Avi Kivity
2009-12-09 10:43 ` Pasi Kärkkäinen
2009-12-07 17:38 ` Anthony Liguori
2009-12-07 17:45 ` Joanna Rutkowska
[not found] ` <20091207181556.GM4679@tyrion.haifa.ibm.com>
2009-12-07 19:58 ` Anthony Liguori
2009-12-07 17:33 ` Anthony Liguori
2009-12-07 17:58 ` Joanna Rutkowska
2009-12-07 17:47 ` Daniel P. Berrange
2009-12-07 13:55 ` Joanna Rutkowska
2009-12-07 14:01 ` Avi Kivity
2009-12-07 16:47 ` Anthony Liguori [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B1D31A2.5010302@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=joanna@invisiblethingslab.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox