From: Anthony Liguori <aliguori@us.ibm.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: kwolf@redhat.com, libvir-list@redhat.com,
Corey Bryant <coreyb@linux.vnet.ibm.com>,
Christoph Hellwig <hch@lst.de>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [libvirt] [PATCH v4] Add support for fd: protocol
Date: Mon, 22 Aug 2011 12:25:25 -0500 [thread overview]
Message-ID: <4E529105.2010907@us.ibm.com> (raw)
In-Reply-To: <20110822165014.GM9456@redhat.com>
On 08/22/2011 11:50 AM, Daniel P. Berrange wrote:
> On Mon, Aug 22, 2011 at 11:29:12AM -0500, Anthony Liguori wrote:
>> I don't think it makes sense to have qemu-fe do dynamic labelling.
>> You certainly could avoid the fd passing by having qemu-fe do the
>> open though and just let qemu-fe run without the restricted security
>> context.
>
> qemu-fe would also not be entirely simple,
Indeed.
> because it will need to act
> as a proxy for the monitor, in order to make hotplug work. ie the mgmt
> app would be sending 'drive_add file:/foo/bar' to qemu-fe, which would
> then have to open the file and send 'drive_add fd:NN' onto the real QEMU,
> and then pass the results on back.
>
> In addition qemu-fe would still have to be under some kind of restricted
> security context for it to be acceptable. This is going to want to be as
> locked down as possible.
I think there's got to be some give and take here.
It should at least be as locked down as libvirtd. From a security point
of view, we should be able to agree that we want libvirtd to be as
locked down as possible.
But there shouldn't be a hard requirement to lock down qemu-fe more than
libvirtd. Instead, the requirement should be for qemu-fe to be as/more
vigilant in not trusting qemu-system-x86_64 as libvirtd is.
The fundamental problem here, is that there is some logic in libvirtd
that rightly belongs in QEMU. In order to preserve the security model,
that means that we're going to have to take a subsection of QEMU and
trust it more.
> So I'd see that you'd likely end up with the
> qemu-fe security policy being identical to the qemu security policy,
Then there's no point in doing qemu-fe. qemu-fe should be thought of as
QEMU supplied libvirtd plugin.
> with the exception that it would be allowed to open files on NFS without
> needing them to be labelled. So I don't really see that all this gives us
> any tangible benefits over just allowing the mgmt app to pass in the FDs
> directly.
>
>> But libvirt would still need to parse image files.
>
> Not neccessarily. As mentioned below, it is entirely possible to
> enable the mgmt app to pass in details of the backing files, at
> which point no image parsing is required by libvirt. Hence my
> assertion that the question of who does image parsing is irrelevant
> to this discussion.
That's certainly true.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2011-08-22 17:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-22 14:50 [Qemu-devel] [PATCH v4] Add support for fd: protocol Corey Bryant
2011-08-22 15:38 ` Christoph Hellwig
2011-08-22 16:06 ` Corey Bryant
2011-08-22 16:24 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2011-08-22 16:29 ` Anthony Liguori
2011-08-22 16:50 ` Daniel P. Berrange
2011-08-22 17:25 ` Anthony Liguori [this message]
2011-08-22 17:42 ` Corey Bryant
2011-08-22 18:39 ` Blue Swirl
2011-08-23 15:13 ` Corey Bryant
2011-08-23 15:26 ` Daniel P. Berrange
2011-08-23 15:50 ` Kevin Wolf
2011-08-23 15:51 ` Daniel P. Berrange
2011-08-23 16:04 ` Daniel P. Berrange
2011-08-23 16:14 ` Corey Bryant
2011-08-22 18:22 ` Daniel P. Berrange
2011-08-22 18:54 ` Blue Swirl
2011-08-22 19:25 ` Anthony Liguori
2011-08-23 14:26 ` Corey Bryant
2011-08-23 14:33 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E529105.2010907@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=berrange@redhat.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=hch@lst.de \
--cc=kwolf@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).