From: James Morris <jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>
To: Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
Cc: kvm-devel
<kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>,
Joshua Brindle <jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>,
David Windsor <dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>,
selinux <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
Subject: Re: [RFC][PATCH 00/01]qemu VM entrypoints
Date: Fri, 20 Jul 2007 19:33:33 -0400 (EDT) [thread overview]
Message-ID: <Line.LNX.4.64.0707201922220.12412@d.namei> (raw)
In-Reply-To: <46A13CDB.7020900-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
On Fri, 20 Jul 2007, Anthony Liguori wrote:
> > I guess you'd have OS policy preventing normal domains from accessing
> > /dev/kvm (or /dev/lguest etc.), while a security-aware launcher would
> > enforce access control policy over which domains could launch which disk
> > images as VMs, and also setup the execution context & fork.
> >
>
> I really think you have to start with the assumption that a guest can access
> anything that QEMU can access and attempt to build security around that. If
> you want to restrict what the guest can see, restrict what QEMU can see.
Right, we are talking about specific invocations of qemu running in
different security domains. SELinux policy at the OS level would control
what each domain (i.e. instance of qemu) can do.
> At some point, we may do crazy stuff like syscall pass-through in which case,
> it would be all but impossible to have a "security-aware" launcher.
We need some mechanism to invoke VM instances so that they execute in a
specific security domain, and to ensure that the domain performing the
invocation is authorized to do so, on the specific disk image, and to be
transitioned to a specific domain of execution according to policy.
This is just the invocation phase.
There may need to be further controls on e.g. inter-VM communication or
other things which may operate outside the standard host OS mechanisms.
I'm not sure exactly what syscall passthrough entails, or what the
security implications are. How would it make it impossible to have a
security-aware launcher (i.e. the application which invokes the VM
instance per above) ?
- James
--
James Morris
<jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
next prev parent reply other threads:[~2007-07-20 23:33 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-20 19:32 [RFC][PATCH 00/01]qemu VM entrypoints David Windsor
[not found] ` <C2C68600.366D%dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org>
2007-07-20 20:03 ` Anthony Liguori
[not found] ` <46A1151F.7020502-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-20 21:55 ` David Windsor
2007-07-20 22:19 ` [kvm-devel] " Anthony Liguori
2007-07-20 20:11 ` Daniel P. Berrange
[not found] ` <20070720201101.GC12218-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2007-07-20 20:30 ` James Morris
2007-07-20 20:38 ` Daniel P. Berrange
2007-07-20 20:46 ` Anthony Liguori
[not found] ` <46A11F1A.2080004-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-20 22:42 ` James Morris
2007-07-20 22:53 ` Anthony Liguori
[not found] ` <46A13CDB.7020900-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-20 23:33 ` James Morris [this message]
2007-07-21 2:48 ` David Windsor
2007-07-21 6:21 ` Avi Kivity
[not found] ` <46A1A5E9.7000807-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
2007-07-21 6:53 ` David Windsor
[not found] ` <C2C7258F.36C9%dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2007-07-21 15:54 ` Anthony Liguori
[not found] ` <46A22C37.5030004-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-21 17:55 ` James Morris
2007-07-21 19:01 ` Joshua Brindle
[not found] ` <6FE441CD9F0C0C479F2D88F959B01588DE1B1E-Lp/cVzEoVybUo1n7N8X6UhN0Am9MfdqnVpNB7YpNyf8@public.gmane.org>
2007-07-22 19:07 ` Anthony Liguori
[not found] ` <46A3AB09.3090800-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>
2007-07-22 20:22 ` David Windsor
2007-07-22 17:39 ` David Windsor
2007-07-20 21:57 ` David Windsor
[not found] ` <25a1d91b0707201457m6865a505maf93d22c5c28f0cc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2007-07-20 23:50 ` Daniel P. Berrange
[not found] ` <20070720235007.GA1595-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2007-07-21 1:41 ` James Morris
2007-07-20 20:35 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Line.LNX.4.64.0707201922220.12412@d.namei \
--to=jmorris-gx6/jnmh7dfytjvyw6ydsg@public.gmane.org \
--cc=anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org \
--cc=dwindsor-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org \
--cc=jbrindle-5TQdPaFcblfQT0dZR+AlfA@public.gmane.org \
--cc=kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox