From: Anthony Liguori <aliguori@us.ibm.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: kwolf@redhat.com, libvir-list@redhat.com,
Corey Bryant <coreyb@linux.vnet.ibm.com>,
Christoph Hellwig <hch@lst.de>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [libvirt] [PATCH v4] Add support for fd: protocol
Date: Mon, 22 Aug 2011 14:25:12 -0500 [thread overview]
Message-ID: <4E52AD18.9010907@us.ibm.com> (raw)
In-Reply-To: <20110822182210.GA31225@redhat.com>
On 08/22/2011 01:22 PM, Daniel P. Berrange wrote:
> On Mon, Aug 22, 2011 at 12:25:25PM -0500, Anthony Liguori wrote:
>> On 08/22/2011 11:50 AM, Daniel P. Berrange wrote:
>>> On Mon, Aug 22, 2011 at 11:29:12AM -0500, Anthony Liguori wrote:
>>>> I don't think it makes sense to have qemu-fe do dynamic labelling.
>>>> You certainly could avoid the fd passing by having qemu-fe do the
>>>> open though and just let qemu-fe run without the restricted security
>>>> context.
>>>
>>> qemu-fe would also not be entirely simple,
>>
>> Indeed.
>>
>>> because it will need to act
>>> as a proxy for the monitor, in order to make hotplug work. ie the mgmt
>>> app would be sending 'drive_add file:/foo/bar' to qemu-fe, which would
>>> then have to open the file and send 'drive_add fd:NN' onto the real QEMU,
>>> and then pass the results on back.
>>>
>>> In addition qemu-fe would still have to be under some kind of restricted
>>> security context for it to be acceptable. This is going to want to be as
>>> locked down as possible.
>>
>> I think there's got to be some give and take here.
>>
>> It should at least be as locked down as libvirtd. From a security
>> point of view, we should be able to agree that we want libvirtd to
>> be as locked down as possible.
>>
>> But there shouldn't be a hard requirement to lock down qemu-fe more
>> than libvirtd. Instead, the requirement should be for qemu-fe to be
>> as/more vigilant in not trusting qemu-system-x86_64 as libvirtd is.
>>
>> The fundamental problem here, is that there is some logic in
>> libvirtd that rightly belongs in QEMU. In order to preserve the
>> security model, that means that we're going to have to take a
>> subsection of QEMU and trust it more.
>
> Well we have a process that makes security decisions, and a process
> which applies those security decisions and a process which is confined
> by those decisions. Currently libvirtd makes& applies the decisions,
> and qemu is confined. A qemu-fe model would mean that libvirt is making
> the decisions, but is then relying on qemu-fe to apply them. IMHO that
> split is undesirable, but that's besides the point, since this is not
> a decision that needs to be made now.
>
> 'qemu-fe' needs to have a way to communicate with the confined process
> ('qemu-system-XXX') to supply it the resources (file FDs) it needs to
> access. The requirements of such a comms channel for qemu-fe are going
> to be the same as those needed by libvirtd talking to QEMU today, or
> indeed by any process that is applying security decisions to QEMU.
But the fundamental difference is that libvirtd uses what's ostensible a
public, supported interface. That means when we add things like this,
we're stuck supporting it for general use cases.
It's much more palatable to do these things using a private interface
such that we can change these things down the road without worrying
about compatibility with third-party tools.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2011-08-22 19:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-22 14:50 [Qemu-devel] [PATCH v4] Add support for fd: protocol Corey Bryant
2011-08-22 15:38 ` Christoph Hellwig
2011-08-22 16:06 ` Corey Bryant
2011-08-22 16:24 ` [Qemu-devel] [libvirt] " Daniel P. Berrange
2011-08-22 16:29 ` Anthony Liguori
2011-08-22 16:50 ` Daniel P. Berrange
2011-08-22 17:25 ` Anthony Liguori
2011-08-22 17:42 ` Corey Bryant
2011-08-22 18:39 ` Blue Swirl
2011-08-23 15:13 ` Corey Bryant
2011-08-23 15:26 ` Daniel P. Berrange
2011-08-23 15:50 ` Kevin Wolf
2011-08-23 15:51 ` Daniel P. Berrange
2011-08-23 16:04 ` Daniel P. Berrange
2011-08-23 16:14 ` Corey Bryant
2011-08-22 18:22 ` Daniel P. Berrange
2011-08-22 18:54 ` Blue Swirl
2011-08-22 19:25 ` Anthony Liguori [this message]
2011-08-23 14:26 ` Corey Bryant
2011-08-23 14:33 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E52AD18.9010907@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=berrange@redhat.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=hch@lst.de \
--cc=kwolf@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).