From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N63fd-0003aQ-Ng
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:50:41 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N63fZ-0003Y4-03
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:50:41 -0500
Received: from [199.232.76.173] (port=50648 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N63fY-0003Xv-PH
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:50:36 -0500
Received: from e4.ny.us.ibm.com ([32.97.182.144]:52807)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <aliguori@us.ibm.com>) id 1N63fY-0000vq-Dv
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 09:50:36 -0500
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235])
	by e4.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA5EgU6a016316
	for <qemu-devel@nongnu.org>; Thu, 5 Nov 2009 09:42:30 -0500
Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217])
	by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	nA5EoZuS112144
	for <qemu-devel@nongnu.org>; Thu, 5 Nov 2009 09:50:35 -0500
Received: from d01av03.pok.ibm.com (loopback [127.0.0.1])
	by d01av03.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id
	nA54nKmH017498
	for <qemu-devel@nongnu.org>; Wed, 4 Nov 2009 23:49:21 -0500
Message-ID: <4AF2E638.8050302@us.ibm.com>
Date: Thu, 05 Nov 2009 08:50:32 -0600
From: Anthony Liguori <aliguori@us.ibm.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for qemu
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<4AF2E247.3090409@redhat.com> <4AF2E2E3.1030600@redhat.com>
In-Reply-To: <4AF2E2E3.1030600@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Dustin Kirkland <kirkland@canonical.com>, Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

Avi Kivity wrote:
> On 11/05/2009 04:33 PM, Avi Kivity wrote:
>> and concerned that we're loosening security for qemu non-users.
>>
>
> I see you've addressed this via an acl system.  Still, this is IMO 
> should be outside qemu, esp. as security is now much more than 
> users/groups (i.e. selinux and friends).

Actually, I think this model is pretty close to what the latest crazes 
are in the security world.  The model you're advocating (privileged 
process handing over a fd) is not as secure because it requires that the 
management daemon runs as a privileged user.  There's nothing about this 
that prevents the use of a management framework.  In fact, had this 
existed when libvirt was first written, I'd hope libvirt would have used 
this mechanism instead of fd inheritance.

Management software is really just another user.  We really want 
management software to run unprivileged as much as possible.

-- 
Regards,

Anthony Liguori