From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Wed, 27 Jan 2010 12:02:34 -0600
Message-ID: <4B607FBA.2070902@codemonkey.ws>
References: <1264538423.24933.144.camel@w-sridhar.beaverton.ibm.com>	 <4B5F54E8.3080507@codemonkey.ws> <4B5F5594.6080006@codemonkey.ws>	 <20100127092451.GC3476@redhat.com> <4B60488F.5020506@codemonkey.ws>	 <20100127165909.GA13260@redhat.com> <4B6072E1.7030702@codemonkey.ws>	 <20100127172536.GD13260@redhat.com>  <4B60799F.80708@codemonkey.ws> <1264614895.20320.35.camel@w-sridhar.beaverton.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Michael S. Tsirkin" <mst@redhat.com>, avi@redhat.com,
	markmc@redhat.com, ogerlitz@voltaire.com, kvm@vger.kernel.org,
	qemu-devel@vger.kernel.org
To: Sridhar Samudrala <sri@us.ibm.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-iw0-f186.google.com ([209.85.223.186]:57866 "EHLO
	mail-iw0-f186.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755881Ab0A0SCj (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 27 Jan 2010 13:02:39 -0500
In-Reply-To: <1264614895.20320.35.camel@w-sridhar.beaverton.ibm.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 01/27/2010 11:54 AM, Sridhar Samudrala wrote:
> I too think that we should not block raw backend in qemu just because of
> security reasons. It should be perfectly fine to use raw backend in
> scenarios where qemu can be run as a privileged process.
>
> libvirt need not support raw backend until we figure out a secure way to
> start qemu when passing raw fd. using network namespaces seems like a
> good option.
>    

Introducing something that is known to be problematic from a security 
perspective without any clear idea of what the use-case for it is is a 
bad idea IMHO.

Regards,

Anthony Liguori

> Thanks
> Sridhar
>
>