From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N7V6r-0002aD-VD for qemu-devel@nongnu.org; Mon, 09 Nov 2009 09:20:45 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N7V6l-0002V1-Kg for qemu-devel@nongnu.org; Mon, 09 Nov 2009 09:20:44 -0500 Received: from [199.232.76.173] (port=37651 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N7V6l-0002Uy-GL for qemu-devel@nongnu.org; Mon, 09 Nov 2009 09:20:39 -0500 Received: from e34.co.us.ibm.com ([32.97.110.152]:49168) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1N7V6l-00040y-5W for qemu-devel@nongnu.org; Mon, 09 Nov 2009 09:20:39 -0500 Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com [9.17.195.227]) by e34.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA9EFYmW015643 for ; Mon, 9 Nov 2009 07:15:34 -0700 Received: from d03av06.boulder.ibm.com (d03av06.boulder.ibm.com [9.17.195.245]) by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id nA9EKQep210268 for ; Mon, 9 Nov 2009 07:20:28 -0700 Received: from d03av06.boulder.ibm.com (loopback [127.0.0.1]) by d03av06.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nA9ELwwY021840 for ; Mon, 9 Nov 2009 07:21:59 -0700 Message-ID: <4AF82524.8080805@us.ibm.com> Date: Mon, 09 Nov 2009 08:20:20 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> <1257294485-27015-5-git-send-email-aliguori@us.ibm.com> <1257614967.30774.424.camel@macbook.infradead.org> <4AF5F0A2.8050309@codemonkey.ws> <4AF680FD.5050101@redhat.com> In-Reply-To: <4AF680FD.5050101@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Avi Kivity Cc: Mark McLoughlin , Arnd Bergmann , Michael Tsirkin , Dustin Kirkland , qemu-devel@nongnu.org, Juan Quintela , David Woodhouse Avi Kivity wrote: > On 11/08/2009 12:11 AM, Anthony Liguori wrote: >> >>> You don't need root privileges to use a tap device. >> >> You can access a preconfigured tap device but you cannot allocate a >> tap device and connect it to a bridge without CAP_NET_ADMIN. > > btw, shouldn't we, in the general case, create a bridge per user and > use IP NAT? If we have a global bridge, users can spoof each other's > MAC addresses and interfere with their virtual machines. qemu-bridge-helper supports that model quite well :-) You would create a NAT'd bridge for each user as the administrator, then create a bridge.conf that consisted of per-user includes with appropriate permissions set on each of those files. > They can also interfere with the real network. > > That's not a concern with most one-user-per-machine configurations, > but the default configuration should be safe. Let's not kid ourselves, no matter what we do we're giving a user elevated privileges. Even with NAT, if the host can access the NAT'ed network, then you can run a privileged service (like NFS) in that network. Like it or not, some networks rely on privileged services being trusted as part of their security model (consider NIS). I think the best we can do is provide a tool that allows an administrator to grant users additional privileges in the tiniest increments possible. Putting people in wheel just so they can do virtualization is too much. I don't see having an fscap-based helper as creating policy. I see it as adding a mechanism for administrators to create policy. -- Regards, Anthony Liguori