From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:36117) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SfCNQ-0002a2-R8 for qemu-devel@nongnu.org; Thu, 14 Jun 2012 11:54:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SfCNK-0003Yk-Hh for qemu-devel@nongnu.org; Thu, 14 Jun 2012 11:54:28 -0400 Received: from e39.co.us.ibm.com ([32.97.110.160]:37840) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SfCNK-0003XT-Bk for qemu-devel@nongnu.org; Thu, 14 Jun 2012 11:54:22 -0400 Received: from /spool/local by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Jun 2012 09:54:18 -0600 Received: from d03relay01.boulder.ibm.com (d03relay01.boulder.ibm.com [9.17.195.226]) by d03dlp03.boulder.ibm.com (Postfix) with ESMTP id 0364419D804E for ; Thu, 14 Jun 2012 15:54:12 +0000 (WET) Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d03relay01.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q5EFs5XJ065578 for ; Thu, 14 Jun 2012 09:54:07 -0600 Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q5EFswdN023078 for ; Thu, 14 Jun 2012 09:54:58 -0600 From: Corey Bryant Date: Thu, 14 Jun 2012 11:55:00 -0400 Message-Id: <1339689305-27031-1-git-send-email-coreyb@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH v3 0/5] file descriptor passing using pass-fd List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: kwolf@redhat.com, aliguori@us.ibm.com, stefanha@linux.vnet.ibm.com, libvir-list@redhat.com, lcapitulino@redhat.com, pbonzini@redhat.com, eblake@redhat.com libvirt's sVirt security driver provides SELinux MAC isolation for Qemu guest processes and their corresponding image files. In other words, sVirt uses SELinux to prevent a QEMU process from opening files that do not belong to it. sVirt provides this support by labeling guests and resources with security labels that are stored in file system extended attributes. Some file systems, such as NFS, do not support the extended attribute security namespace, and therefore cannot support sVirt isolation. A solution to this problem is to provide fd passing support, where libvirt opens files and passes file descriptors to QEMU. This, along with SELinux policy to prevent QEMU from opening files, can provide image file isolation for NFS files stored on the same NFS mount. This patch series adds the pass-fd QMP monitor command, which allows an fd to be passed via SCM_RIGHTS, and returns the received file descriptor. Support is also added to the block layer to allow QEMU to dup the fd when the filename is of the /dev/fd/X format. This is useful if MAC policy prevents QEMU from opening specific types of files. One nice thing about this approach is that no new SELinux policy is required to prevent open of NFS files (files with type nfs_t). The virt_use_nfs boolean type simply needs to be set to false, and open will be prevented (and dup will be allowed). For example: # setsebool virt_use_nfs 0 # getsebool virt_use_nfs virt_use_nfs --> off Corey Bryant (5): qapi: Convert getfd and closefd qapi: Add pass-fd QMP command osdep: Enable qemu_open to dup pre-opened fd block: Convert open calls to qemu_open block: Prevent /dev/fd/X filename from being detected as floppy block/raw-posix.c | 22 ++++++++++--------- block/raw-win32.c | 4 ++-- block/vdi.c | 5 +++-- block/vmdk.c | 21 ++++++++---------- block/vpc.c | 2 +- block/vvfat.c | 21 +++++++++--------- hmp-commands.hx | 6 ++---- hmp.c | 18 ++++++++++++++++ hmp.h | 2 ++ monitor.c | 61 +++++++++++++++++++++++++++++++++++++++-------------- osdep.c | 13 ++++++++++++ qapi-schema.json | 54 +++++++++++++++++++++++++++++++++++++++++++++++ qmp-commands.hx | 48 +++++++++++++++++++++++++++++++++++++---- 13 files changed, 216 insertions(+), 61 deletions(-) -- 1.7.10.2