From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: [Qemu-devel] [RFC] Next gen kvm api Date: Tue, 07 Feb 2012 09:15:12 -0600 Message-ID: <4F314000.6060401@codemonkey.ws> References: <4F2AB552.2070909@redhat.com> <4F2C6517.3040203@codemonkey.ws> <4F302E0D.20302@freescale.com> <4F3118EA.7040302@codemonkey.ws> <4F311BBD.5050600@redhat.com> <4F311E64.10604@codemonkey.ws> <4F31249D.1040700@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Scott Wood , linux-kernel , Eric Northup , KVM list , qemu-devel , Chris Wright To: Avi Kivity Return-path: In-Reply-To: <4F31249D.1040700@redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: kvm.vger.kernel.org On 02/07/2012 07:18 AM, Avi Kivity wrote: > On 02/07/2012 02:51 PM, Anthony Liguori wrote: >> On 02/07/2012 06:40 AM, Avi Kivity wrote: >>> On 02/07/2012 02:28 PM, Anthony Liguori wrote: >>>> >>>>> It's a potential source of exploits >>>>> (from bugs in KVM or in hardware). I can see people wanting to be >>>>> selective with access because of that. >>>> >>>> As is true of the rest of the kernel. >>>> >>>> If you want finer grain access control, that's exactly why we have things like >>>> LSM and SELinux. You can add the appropriate LSM hooks into the KVM >>>> infrastructure and setup default SELinux policies appropriately. >>> >>> LSMs protect objects, not syscalls. There isn't an object to protect here >>> (except the fake /dev/kvm object). >> >> A VM can be an object. >> > > Not really, it's not accessible in a namespace. How would you label it? Labels can originate from userspace, IIUC, so I think it's possible for QEMU (or whatever the userspace is) to set the label for the VM while it's creating it. I think this is how most of the labeling for X and things of that nature works. Maybe Chris can set me straight. > Maybe we can reuse the process label/context (not sure what the right term is > for a process). Regards, Anthony Liguori >