From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:49452)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1Sd2iO-0001Sq-G1
	for qemu-devel@nongnu.org; Fri, 08 Jun 2012 13:11:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1Sd2iM-0000pi-JH
	for qemu-devel@nongnu.org; Fri, 08 Jun 2012 13:11:12 -0400
Received: from e8.ny.us.ibm.com ([32.97.182.138]:59379)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1Sd2iM-0000oS-FJ
	for qemu-devel@nongnu.org; Fri, 08 Jun 2012 13:11:10 -0400
Received: from /spool/local
	by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Fri, 8 Jun 2012 13:11:03 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236])
	by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 996526E8059
	for <qemu-devel@nongnu.org>; Fri,  8 Jun 2012 13:10:31 -0400 (EDT)
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q58HAU7p126732
	for <qemu-devel@nongnu.org>; Fri, 8 Jun 2012 13:10:30 -0400
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id q58HATNJ007068
	for <qemu-devel@nongnu.org>; Fri, 8 Jun 2012 11:10:29 -0600
Message-ID: <4FD231FF.6000007@linux.vnet.ibm.com>
Date: Fri, 08 Jun 2012 13:10:23 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1339170179-2554-1-git-send-email-coreyb@linux.vnet.ibm.com>
In-Reply-To: <1339170179-2554-1-git-send-email-coreyb@linux.vnet.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2 0/4] file descriptor passing using passfd
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Corey Bryant <coreyb@linux.vnet.ibm.com>
Cc: kwolf@redhat.com, aliguori@us.ibm.com, stefanha@linux.vnet.ibm.com, libvir-list@redhat.com, qemu-devel@nongnu.org, eblake@redhat.com

Please review this patch series if you could.  I apologize for sending 
it more than once.  Thanks!

-- 
Regards,
Corey


On 06/08/2012 11:42 AM, Corey Bryant wrote:
> libvirt's sVirt security driver provides SELinux MAC isolation for
> Qemu guest processes and their corresponding image files.  In other
> words, sVirt uses SELinux to prevent a QEMU process from opening
> files that do not belong to it.
>
> sVirt provides this support by labeling guests and resources with
> security labels that are stored in file system extended attributes.
> Some file systems, such as NFS, do not support the extended
> attribute security namespace, and therefore cannot support sVirt
> isolation.
>
> A solution to this problem is to provide fd passing support, where
> libvirt opens files and passes file descriptors to QEMU.  This,
> along with SELinux policy to prevent QEMU from opening files, can
> provide image file isolation for NFS files stored on the same NFS
> mount.
>
> This patch series adds the passfd QMP monitor command, which allows
> an fd to be passed via SCM_RIGHTS, and returns the received file
> descriptor.  Support is also added to the block layer to allow QEMU
> to dup the fd when the filename is of the /dev/fd/X format.  This
> is useful if MAC policy prevents QEMU from opening specific types
> of files.
>
> One nice thing about this approach is that no new SELinux policy is
> required to prevent open of NFS files (files with type nfs_t).  The
> virt_use_nfs boolean type simply needs to be set to false, and open
> will be prevented (and dup will be allowed).  For example:
>
>      # setsebool virt_use_nfs 0
>      # getsebool virt_use_nfs
>      virt_use_nfs -->  off
>
> Corey Bryant (4):
>    qapi: Convert getfd and closefd
>    qapi: Add passfd QMP command
>    osdep: Enable qemu_open to dup pre-opened fd
>    block: Convert open calls to qemu_open
>
>   block/raw-posix.c |   18 +++++++++---------
>   block/raw-win32.c |    4 ++--
>   block/vdi.c       |    5 +++--
>   block/vmdk.c      |   21 +++++++++------------
>   block/vpc.c       |    2 +-
>   block/vvfat.c     |   21 +++++++++++----------
>   hmp-commands.hx   |    6 ++----
>   hmp.c             |   18 ++++++++++++++++++
>   hmp.h             |    2 ++
>   monitor.c         |   36 ++++++++++++++++++++----------------
>   osdep.c           |   13 +++++++++++++
>   qapi-schema.json  |   44 ++++++++++++++++++++++++++++++++++++++++++++
>   qmp-commands.hx   |   33 +++++++++++++++++++++++++++++----
>   13 files changed, 163 insertions(+), 60 deletions(-)
>