From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46383)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <silbe@linux.vnet.ibm.com>) id 1b8YHh-0007k5-1E
	for qemu-devel@nongnu.org; Thu, 02 Jun 2016 15:28:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <silbe@linux.vnet.ibm.com>) id 1b8YHc-00027v-0f
	for qemu-devel@nongnu.org; Thu, 02 Jun 2016 15:28:00 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:63953)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <silbe@linux.vnet.ibm.com>) id 1b8YHb-00027T-Oc
	for qemu-devel@nongnu.org; Thu, 02 Jun 2016 15:27:55 -0400
Received: from pps.filterd (m0075771.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id
	u52JB5fi031844
	for <qemu-devel@nongnu.org>; Thu, 2 Jun 2016 15:27:51 -0400
Message-Id: <201606021927.u52JB5fi031844@mx0a-001b2d01.pphosted.com>
Received: from e06smtp17.uk.ibm.com (e06smtp17.uk.ibm.com [195.75.94.113])
	by mx0a-001b2d01.pphosted.com with ESMTP id 23ak02ecw4-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <qemu-devel@nongnu.org>; Thu, 02 Jun 2016 15:27:50 -0400
Received: from localhost
	by e06smtp17.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <silbe@linux.vnet.ibm.com>;
	Thu, 2 Jun 2016 20:27:48 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com
	(d06relay09.portsmouth.uk.ibm.com [9.149.109.194])
	by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id C75961B0804B
	for <qemu-devel@nongnu.org>; Thu,  2 Jun 2016 20:28:49 +0100 (BST)
Received: from d06av08.portsmouth.uk.ibm.com (d06av08.portsmouth.uk.ibm.com
	[9.149.37.249])
	by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id u52JRkFX1835274
	for <qemu-devel@nongnu.org>; Thu, 2 Jun 2016 19:27:46 GMT
Received: from d06av08.portsmouth.uk.ibm.com (localhost [127.0.0.1])
	by d06av08.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with
	ESMTP id u52JRk0V009854
	for <qemu-devel@nongnu.org>; Thu, 2 Jun 2016 13:27:46 -0600
From: Sascha Silbe <silbe@linux.vnet.ibm.com>
In-Reply-To: <20160602082904.GD9481@redhat.com>
References: <1464712247-11655-1-git-send-email-wexu@redhat.com>
	<20160531164448.GE21628@redhat.com> <574F0A7B.5030401@redhat.com>
	<01045d4a-f03d-9f0d-deeb-4927446bb894@redhat.com>
	<20160602082904.GD9481@redhat.com>
Date: Thu, 02 Jun 2016 21:27:45 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] Channel paths (was: Re: [RFC Patch 0/3] Accept passed
 in socket 'fd' open from outside for unix socket)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, Michal Privoznik <mprivozn@redhat.com>
Cc: qemu-devel@nongnu.org, amit.shah@redhat.com, jasowang@redhat.com, Wei Xu <wexu@redhat.com>, armbru@redhat.com

Dear Daniel,

"Daniel P. Berrange" <berrange@redhat.com> writes:

> On Thu, Jun 02, 2016 at 09:41:56AM +0200, Michal Privoznik wrote:
>> On 01.06.2016 18:16, Wei Xu wrote:
>> > On 2016=E5=B9=B406=E6=9C=8801=E6=97=A5 00:44, Daniel P. Berrange wrote:
> There are plenty of other places where we allow arbitrary paths in the
> XML, but which have restrictions imposed by the security drivers. Not
> least the <channel> devices which have the exact same scenario as this
> network device, and require use of /var/lib/libvirt/qemu as the directory
> for the sockets. We certainly do not want to allow QEMU to create sockets
> anywhere.

Umm, how exactly is an application supposed to use (i.e. open) the
channel devices defined in XML?

Previously I deliberately left out the path in the XML to let libvirt
choose the path and extracted it from the XML after defining the
domain. This ensured qemu could access the path, plus it was the
responsibility of libvirt to clean it up once the domain was
undefined. Easy and simple.

Since 71408079 [qemu: Don't bother user with libvirt-internal paths],
the path chosen by libvirt isn't included in the domain XML anymore. So
now I need to choose the path inside the application. The only safe way
to do that is by using something in an application-managed namespace
(e.g. /var/lib/myapp/foo or /tmp/myapp/foo); I certainly wouldn't want
to second guess what paths would be safe inside the libvirt namespace
(/var/lib/libvirt/qemu). Except now I hear that anything outside
/var/lib/libvirt/qemu is not guaranteed to work due to e.g. the SELinux
policy configured by libvirt...

Sascha
--=20
Softwareentwicklung Sascha Silbe, Niederhofenstra=C3=9Fe 5/1, 71229 Leonberg
https://se-silbe.de/
USt-IdNr. DE281696641