From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: [PATCH qemu-kvm] Add raw(af_packet) network backend to qemu
Date: Thu, 28 Jan 2010 13:57:33 -0600
Message-ID: <4B61EC2D.10909@codemonkey.ws>
References: <4B5F54E8.3080507@codemonkey.ws> <20100127180338.GB13730@redhat.com> <4B6099E0.40101@codemonkey.ws> <201001280912.04809.arnd@arndb.de> <20100128135644.GE3776@redhat.com> <4B619BA1.9010404@codemonkey.ws> <20100128145226.GA10497@redhat.com> <4B61A7C9.7040808@codemonkey.ws> <20100128163720.GB3288@redhat.com> <4B61D058.20606@codemonkey.ws> <20100128180426.GB3541@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Arnd Bergmann <arnd@arndb.de>, Sridhar Samudrala <sri@us.ibm.com>,
	avi@redhat.com, markmc@redhat.com, ogerlitz@voltaire.com,
	kvm@vger.kernel.org, qemu-devel@vger.kernel.org,
	Chris Wright <chrisw@redhat.com>,
	"Daniel P. Berrange" <berrange@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-fx0-f215.google.com ([209.85.220.215]:42826 "EHLO
	mail-fx0-f215.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751526Ab0A1T5v (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 28 Jan 2010 14:57:51 -0500
In-Reply-To: <20100128180426.GB3541@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 01/28/2010 12:04 PM, Michael S. Tsirkin wrote:
> On Thu, Jan 28, 2010 at 11:58:48AM -0600, Anthony Liguori wrote:
>    
>> On 01/28/2010 10:37 AM, Michael S. Tsirkin wrote:
>>      
>>> So actually, this is an interesting argument in favor of
>>> turning disablenetwork from per-process as it is now
>>> to per-file.
>>>
>>>        
>> Yup.  I think we really need a file-based restriction mechanism and so
>> far, neither disablenetwork or network namespace seems to do that.
>>
>> I think you might be able to mitigate this with SELinux since I'm fairly
>> certain it can prevent SCM_RIGHTS but SELinux is not something that can
>> be enforced within a set of applications so we'd be relying on SELinux
>> being enabled (honestly, unlikely) and the policy being correctly
>> configured (unlikely in the general case at least).
>>
>> Regards,
>>
>> Anthony Liguori
>>      
> I am not convinced SELinux being disabled is a problem we necessarily
> need to deal with, and qemu does not verify e.g. that it is not run as
> root either. A more serious problem IMO is that SCM_RIGHTS might be
> needed for some other functionality.
>    

It would mean that libvirt is insecure unless SELinux is enabled.  
That's a pretty fundamental flaw IMHO.

At any rate, I think we both agree that we need to figure out a 
solution, so that's good :-)

Regards,

Anthony Liguori