From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: A few KVM security questions
Date: Mon, 07 Dec 2009 10:47:30 -0600
Message-ID: <4B1D31A2.5010302@codemonkey.ws>
References: <4B1CFD93.7090307@invisiblethingslab.com> <4B1D0057.8030707@redhat.com> <4B1D094B.5000700@invisiblethingslab.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org
To: Joanna Rutkowska <joanna@invisiblethingslab.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from qw-out-2122.google.com ([74.125.92.25]:44101 "EHLO
	qw-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750939AbZLGQra (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 7 Dec 2009 11:47:30 -0500
Received: by qw-out-2122.google.com with SMTP id 3so924000qwe.37
        for <kvm@vger.kernel.org>; Mon, 07 Dec 2009 08:47:36 -0800 (PST)
In-Reply-To: <4B1D094B.5000700@invisiblethingslab.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Joanna Rutkowska wrote:
> Avi Kivity wrote:
>   
>> On 12/07/2009 03:05 PM, Joanna Rutkowska wrote:
>>     
>>> In particular, is
>>> it possible to move the qemu from the host to one of the VMs? Perhaps to
>>> have a separate copy of qemu for each VM? (ala Xen's stub-domains)
>>>    
>>>       
>> It should be fairly easy to place qemu in a guest.  You would leave a
>> simple program on the host to communicate with kvm and pass any data
>> written by the guest to qemu running in another guest, and feed any
>> replies back to the guest.
>>
>>     
>
> But then you would need to have another qemu (on the host) to support
> running this "qemu-VM", where we want to put the qemu, right?
>   

It really offers no advantage.  The security assumption should be that a 
guest can break into qemu.  If a guest can break out of qemu, putting it 
in another qemu means that we still need to assume it can break out of 
that qemu.  The host should treat the qemu process as hostile and 
constrain it by using things like -runas, -chroot, SELinux, and 
containers.  This is what most production systems do today.  libvirt 
certainly takes this approach.

That's not to say that we know for sure that a guest can break into 
qemu, but designing around that assumption gives us MLS.

Regards,

Anthony Liguori
> joanna.
>
>