From: Stefan Hajnoczi <stefanha@redhat.com>
To: John G Johnson <john.g.johnson@oracle.com>
Cc: "\"Daniel P. Berrangé\"" <berrange@redhat.com>,
"Elena Ufimtseva" <elena.ufimtseva@oracle.com>,
sstabellini@kernel.org, "Jag Raman" <jag.raman@oracle.com>,
konrad.wilk@oracle.com, "Stefan Hajnoczi" <stefanha@gmail.com>,
qemu-devel@nongnu.org, ross.lagerwall@citrix.com,
liran.alon@oracle.com, kanth.ghatraju@oracle.com
Subject: Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Date: Fri, 8 Mar 2019 09:50:36 +0000 [thread overview]
Message-ID: <20190308095036.GC12318@stefanha-x1.localdomain> (raw)
In-Reply-To: <BDEBF2EE-DE0F-46CF-B60E-536B3DA9BF77@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2433 bytes --]
On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:
> > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:
> >> On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:
> >>> On Wed, Mar 06, 2019 at 11:22:53PM -0800, elena.ufimtseva@oracle.com wrote:
> >>>> diff --git a/docs/devel/qemu-multiprocess.txt b/docs/devel/qemu-multiprocess.txt
> >>>> new file mode 100644
> >>>> index 0000000..e29c6c8
> >>>> --- /dev/null
> >>>> +++ b/docs/devel/qemu-multiprocess.txt
> >>>
> >>> Thanks for this document and the interesting work that you are doing.
> >>> I'd like to discuss the security advantages gained by disaggregating
> >>> QEMU in more detail.
> >>>
> >>> The security model for VMs managed by libvirt (most production x86, ppc,
> >>> s390 guests) is that the QEMU process is untrusted and only has access
> >>> to resources belonging to the guest. SELinux is used to restrict the
> >>> process from accessing other files, processes, etc on the host.
> >>
> >> NB it doesn't have to be SELinux. Libvirt also supports AppArmor and
> >> can even do isolation with traditional DAC by putting each QEMU under
> >> a distinct UID/GID and having libvirtd set ownership on resources each
> >> VM is permitted to use.
> >>
> >>> QEMU does not hold privileged resources that must be kept away from the
> >>> guest. An escaped guest can access its image file, tap file descriptor,
> >>> etc but they are the same resources it could already access via device
> >>> emulation.
> >>>
> >>> Can you give specific examples of how disaggregation improves security?
> >
> > Elena & collaborators: Dan has posted some ideas but please share yours
> > so the security benefits of this patch series can be better understood.
> >
>
> Dan covered the main point. The security regime we use (selinux)
> constrains the actions of processes on objects, so having multiple processes
> allows us to apply more fine-grained policies.
Please share the SELinux policy files, containerization scripts, etc.
There is probably a home for them in qemu.git, libvirt.git, or elsewhere
upstream.
We need to find a way to make the sandboxing improvements available to
users besides yourself and easily reusable for developers who wish to
convert additional device models.
Thanks,
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2019-03-08 9:50 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-07 7:22 [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess elena.ufimtseva
2019-03-07 8:14 ` Thomas Huth
2019-03-07 14:16 ` Kevin Wolf
2019-03-07 14:21 ` Thomas Huth
2019-03-07 14:40 ` Konrad Rzeszutek Wilk
2019-03-07 14:53 ` Thomas Huth
2019-03-08 18:22 ` Elena Ufimtseva
2019-03-07 14:26 ` Stefan Hajnoczi
2019-03-07 14:51 ` Daniel P. Berrangé
2019-03-07 16:05 ` Michael S. Tsirkin
2019-03-07 16:19 ` Daniel P. Berrangé
2019-03-07 16:46 ` Michael S. Tsirkin
2019-03-07 16:49 ` Daniel P. Berrangé
2019-03-07 19:27 ` Stefan Hajnoczi
2019-03-07 23:29 ` John G Johnson
2019-03-08 9:50 ` Stefan Hajnoczi [this message]
[not found] ` <20190326080822.GC21018@stefanha-x1.localdomain>
[not found] ` <e5395abf-6b41-46c8-f5af-3210077dfdd5@oracle.com>
[not found] ` <CAAdtpL4ztcpf-CTx0fc5T_+VQ+8upHa2pEMoiZPcmBXOO6L3Og@mail.gmail.com>
2019-04-23 21:26 ` Jag Raman
2019-04-23 21:26 ` Jag Raman
2019-04-25 15:44 ` Stefan Hajnoczi
2019-04-25 15:44 ` Stefan Hajnoczi
2019-05-07 19:00 ` Jag Raman
2019-05-23 10:40 ` Stefan Hajnoczi
2019-06-11 15:53 ` Jag Raman
2019-05-23 11:11 ` Stefan Hajnoczi
2019-05-28 15:18 ` Elena Ufimtseva
2019-05-30 20:54 ` Elena Ufimtseva
2019-06-11 15:59 ` Jag Raman
2019-06-12 16:24 ` Stefan Hajnoczi
2019-06-12 17:01 ` Elena Ufimtseva
2019-03-11 10:20 ` Daniel P. Berrangé
2019-05-07 21:00 ` Elena Ufimtseva
2019-05-23 11:22 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190308095036.GC12318@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=berrange@redhat.com \
--cc=elena.ufimtseva@oracle.com \
--cc=jag.raman@oracle.com \
--cc=john.g.johnson@oracle.com \
--cc=kanth.ghatraju@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=liran.alon@oracle.com \
--cc=qemu-devel@nongnu.org \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).