From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: [Qemu-devel] Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu Date: Wed, 27 Jan 2010 08:14:25 -0600 Message-ID: <4B604A41.1040103@codemonkey.ws> References: <1264538423.24933.144.camel@w-sridhar.beaverton.ibm.com> <1264547735.24933.244.camel@w-sridhar.beaverton.ibm.com> <4B5F8379.6060607@codemonkey.ws> <201001270752.07037.arnd@arndb.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Sridhar Samudrala , markmc@redhat.com, kvm@vger.kernel.org, "Michael S. Tsirkin" , qemu-devel@nongnu.org, ogerlitz@voltaire.com, avi@redhat.com To: Arnd Bergmann Return-path: Received: from mail-gx0-f224.google.com ([209.85.217.224]:40386 "EHLO mail-gx0-f224.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754268Ab0A0OO3 (ORCPT ); Wed, 27 Jan 2010 09:14:29 -0500 Received: by gxk24 with SMTP id 24so6742247gxk.1 for ; Wed, 27 Jan 2010 06:14:28 -0800 (PST) In-Reply-To: <201001270752.07037.arnd@arndb.de> Sender: kvm-owner@vger.kernel.org List-ID: On 01/27/2010 12:52 AM, Arnd Bergmann wrote: > On Wednesday 27 January 2010, Anthony Liguori wrote: > >>> The raw backend can be attached to a physical device >>> >> This is equivalent to bridging with tun/tap except that it has the >> unexpected behaviour of unreliable host/guest networking (which is not >> universally consistent across platforms either). This is not a mode we >> want to encourage users to use. >> > It's not the most common scenario, but I've seen systems (I remember > one on s/390 with z/VM) where you really want to isolate the guest > network as much as possible from the host network. Besides PCI > passthrough, giving the host device to a guest using a raw socket > is the next best approximation of that. > But if you care about isolation, it's the worst possible thing to do. If a guest breaks into qemu, it's one bind() away from accessing any other guests network. Using a bridge with a single interface on it is much better from an isolation perspective. >> In general, what I would like to see for >> this is something more user friendly that dealt specifically with this >> use-case. Although honestly, given the recent security concerns around >> raw sockets, I'm very concerned about supporting raw sockets in qemu at all. >> >> Essentially, you get worse security doing vhost-net + raw + VF then with >> PCI passthrough + VF because at least in the later case you can run qemu >> without privileges. CAP_NET_RAW is a very big privilege. >> > It can be contained to a large degree with network namespaces. When you > run qemu in its own namespace and add the VF to that, CAP_NET_RAW > should ideally have no effect on other parts of the system (except > bugs in the namespace implementation). > That's a pretty big hammer to hit this problem with. QEMU should not require CAP_NET_RAW and so far has been able to avoid it quite successfully. So far, I haven't heard a compelling reason that to use raw other than bridging can be complicated to setup. If we had the equivalent of a raw socket that could be bound to a socket and then "locked" such that it could be safely handed to a non-privileged process, then it would be a different story. Regards, Anthony Liguori