From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:47971)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SeocJ-00038T-1a
	for qemu-devel@nongnu.org; Wed, 13 Jun 2012 10:32:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SeocC-0000bM-LX
	for qemu-devel@nongnu.org; Wed, 13 Jun 2012 10:32:14 -0400
Received: from e7.ny.us.ibm.com ([32.97.182.137]:48565)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SeocC-0000VQ-Gy
	for qemu-devel@nongnu.org; Wed, 13 Jun 2012 10:32:08 -0400
Received: from /spool/local
	by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Wed, 13 Jun 2012 10:32:04 -0400
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237])
	by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 278186E805D
	for <qemu-devel@nongnu.org>; Wed, 13 Jun 2012 10:31:59 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q5DEVvGG184854
	for <qemu-devel@nongnu.org>; Wed, 13 Jun 2012 10:31:57 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q5DEVvm7028615
	for <qemu-devel@nongnu.org>; Wed, 13 Jun 2012 11:31:57 -0300
Message-ID: <4FD8A45B.2020606@linux.vnet.ibm.com>
Date: Wed, 13 Jun 2012 10:31:55 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1339170179-2554-1-git-send-email-coreyb@linux.vnet.ibm.com>
	<4FD86B39.6060701@redhat.com>
In-Reply-To: <4FD86B39.6060701@redhat.com>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2 0/4] file descriptor passing using passfd
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Kevin Wolf <kwolf@redhat.com>
Cc: aliguori@us.ibm.com, stefanha@linux.vnet.ibm.com, libvir-list@redhat.com, qemu-devel@nongnu.org, Luiz Capitulino <lcapitulino@redhat.com>, eblake@redhat.com



On 06/13/2012 06:28 AM, Kevin Wolf wrote:
> Am 08.06.2012 17:42, schrieb Corey Bryant:
>> libvirt's sVirt security driver provides SELinux MAC isolation for
>> Qemu guest processes and their corresponding image files.  In other
>> words, sVirt uses SELinux to prevent a QEMU process from opening
>> files that do not belong to it.
>>
>> sVirt provides this support by labeling guests and resources with
>> security labels that are stored in file system extended attributes.
>> Some file systems, such as NFS, do not support the extended
>> attribute security namespace, and therefore cannot support sVirt
>> isolation.
>>
>> A solution to this problem is to provide fd passing support, where
>> libvirt opens files and passes file descriptors to QEMU.  This,
>> along with SELinux policy to prevent QEMU from opening files, can
>> provide image file isolation for NFS files stored on the same NFS
>> mount.
>>
>> This patch series adds the passfd QMP monitor command, which allows
>> an fd to be passed via SCM_RIGHTS, and returns the received file
>> descriptor.  Support is also added to the block layer to allow QEMU
>> to dup the fd when the filename is of the /dev/fd/X format.  This
>> is useful if MAC policy prevents QEMU from opening specific types
>> of files.
>>
>> One nice thing about this approach is that no new SELinux policy is
>> required to prevent open of NFS files (files with type nfs_t).  The
>> virt_use_nfs boolean type simply needs to be set to false, and open
>> will be prevented (and dup will be allowed).  For example:
>>
>>      # setsebool virt_use_nfs 0
>>      # getsebool virt_use_nfs
>>      virt_use_nfs --> off
>>
>> Corey Bryant (4):
>>    qapi: Convert getfd and closefd
>>    qapi: Add passfd QMP command
>>    osdep: Enable qemu_open to dup pre-opened fd
>>    block: Convert open calls to qemu_open
>>
>>   block/raw-posix.c |   18 +++++++++---------
>>   block/raw-win32.c |    4 ++--
>>   block/vdi.c       |    5 +++--
>>   block/vmdk.c      |   21 +++++++++------------
>>   block/vpc.c       |    2 +-
>>   block/vvfat.c     |   21 +++++++++++----------
>>   hmp-commands.hx   |    6 ++----
>>   hmp.c             |   18 ++++++++++++++++++
>>   hmp.h             |    2 ++
>>   monitor.c         |   36 ++++++++++++++++++++----------------
>>   osdep.c           |   13 +++++++++++++
>>   qapi-schema.json  |   44 ++++++++++++++++++++++++++++++++++++++++++++
>>   qmp-commands.hx   |   33 +++++++++++++++++++++++++++++----
>>   13 files changed, 163 insertions(+), 60 deletions(-)
>
> Looks good to me. If Luiz is okay with the QMP part, I'm going to apply
> this to the block branch.
>
> Corey, please make sure to check the host_floppy problem and send a
> patch if necessary.
>
> Kevin
>

Thanks!  I just sent a patch for the host_floppy issue.

-- 
Regards,
Corey