From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54152)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YQJDj-0001Zr-EV
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 12:24:32 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YQJDg-000193-2W
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 12:24:31 -0500
Received: from mx1.redhat.com ([209.132.183.28]:47510)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YQJDf-00017q-RV
	for qemu-devel@nongnu.org; Tue, 24 Feb 2015 12:24:27 -0500
Date: Tue, 24 Feb 2015 17:24:10 +0000
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20150224172410.GT21611@redhat.com>
References: <1423711034-5340-1-git-send-email-zhang.zhanghailiang@huawei.com>
	<1423711034-5340-18-git-send-email-zhang.zhanghailiang@huawei.com>
	<54E2825B.9040500@redhat.com> <54EC494E.6000901@cn.fujitsu.com>
	<54ECA740.4050701@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <54ECA740.4050701@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC v3 17/27] COLO: Add new command
 parameter 'colo_nicname' 'colo_script' for net
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: zhanghailiang <zhang.zhanghailiang@huawei.com>, Li Zhijian <lizhijian@cn.fujitsu.com>, yunhong.jiang@intel.com, eddie.dong@intel.com, qemu-devel@nongnu.org, dgilbert@redhat.com, Gao feng <gaofeng@cn.fujitsu.com>, stefanha@redhat.com, pbonzini@redhat.com, peter.huangpeng@huawei.com

On Tue, Feb 24, 2015 at 09:30:56AM -0700, Eric Blake wrote:
> On 02/24/2015 02:50 AM, Wen Congyang wrote:
> >> Script files are in general very hard to secure.  Libvirt marks any
> >> domain that uses a script file for controlling networking as tainted,
> >> because it cannot guarantee that the script did not do arbitrary
> >> actions.  Can you come up with any better solution that does not require
> >> a script file, such as having management software responsible for
> >> passing in an already-opened fd?
> > 
> > Do you mean that opening the script in libvirt?
> > 
> 
> No, I mean a solution that needs no script file at all.  Have libvirt
> pre-open the TAP device you will need, then pass in the fd that will be
> used for the colo NIC.

Agreed, we really must not add new features that require executing
arbitrary blackbox shell scripts to QEMU, when we know that reslts in
a flawed security model. And just pushing the script execution upto
libvirt is not really a satisfactory solution either.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|