From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [RFC][PATCH 00/01]qemu VM entrypoints
Date: Sat, 21 Jul 2007 02:53:03 -0400
Message-ID: <C2C7258F.36C9%dwindsor@gmail.com>
References: <46A1A5E9.7000807@qumranet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: kvm-devel <kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>,
	David Windsor <dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>,
	Joshua Brindle <jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>, selinux <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
To: Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org>,
	Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
Return-path: <kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
In-Reply-To: <46A1A5E9.7000807-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=kvm-devel>
List-Post: <mailto:kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
List-Help: <mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=subscribe>
Sender: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Errors-To: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
List-Id: kvm.vger.kernel.org

On 7/21/07 2:21 AM, "Avi Kivity" <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org> wrote:

> Anthony Liguori wrote:
>> James Morris wrote:
>>   
>>> On Fri, 20 Jul 2007, Daniel P. Berrange wrote:
>>> 
>>>   
>>>     
>>>> It could be - if your put the policy at the control API layer instead of
>>>> in QEMU itself.
>>>>     
>>>>       
>>> Then you can bypass MAC security by invoking qemu directly.
>>>   
>>>     
>> 
>> You can bypass MAC security by writing your own binary that uses the KVM
>> kernel interfaces.
>> 
>>   
> 
> I guess modifying qemu makes sense if the modification gives you *more*
> permissions.
> 
> i.e. you start out just with the ability to access the disk image, and
> then you transition to a new domain that allows you to access some network.
> 
> 
> Is that what is intended here?

The intent here is to provide some mechanism for a policy-driven transition
to occur when loading a virtual disk.  So, an administrator would write
policy for say, a topsecret_vm_t domain, in which the top secret VM can run.
All access requests from this VM would have a source type of topsecret_vm_t
on the host machine.  The virtual disk, labeled perhaps as topsecret_disk_t,
would need to be authorized in policy to be an entrypoint into the
topsecret_vm_t domain.  This patch proposes a mechanism that allows us to
provide policy driven controls both over which files can be used as a disk
image, and to which domain a qemu process will transition after loading the
disk image.  

Originally, I thought qemu was the proper place for this type of an
enforcement hook, but libvirt may be more appropriate because qemu could be
launched with a different security context if loading a virtual disk, rather
than having qemu set up the security context of the VM.  Thoughts?



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/