From: Kevin Wolf <kwolf@redhat.com>
To: Corey Bryant <coreyb@linux.vnet.ibm.com>
Cc: aliguori@us.ibm.com, stefanha@linux.vnet.ibm.com,
libvir-list@redhat.com, qemu-devel@nongnu.org,
lcapitulino@redhat.com, pbonzini@redhat.com, eblake@redhat.com
Subject: Re: [Qemu-devel] [PATCH v8 0/7] file descriptor passing using fd sets
Date: Fri, 10 Aug 2012 18:36:24 +0200 [thread overview]
Message-ID: <50253888.7070100@redhat.com> (raw)
In-Reply-To: <1344564649-6272-1-git-send-email-coreyb@linux.vnet.ibm.com>
Am 10.08.2012 04:10, schrieb Corey Bryant:
> libvirt's sVirt security driver provides SELinux MAC isolation for
> Qemu guest processes and their corresponding image files. In other
> words, sVirt uses SELinux to prevent a QEMU process from opening
> files that do not belong to it.
>
> sVirt provides this support by labeling guests and resources with
> security labels that are stored in file system extended attributes.
> Some file systems, such as NFS, do not support the extended
> attribute security namespace, and therefore cannot support sVirt
> isolation.
>
> A solution to this problem is to provide fd passing support, where
> libvirt opens files and passes file descriptors to QEMU. This,
> along with SELinux policy to prevent QEMU from opening files, can
> provide image file isolation for NFS files stored on the same NFS
> mount.
>
> This patch series adds the add-fd, remove-fd, and query-fdsets
> QMP monitor commands, which allow file descriptors to be passed
> via SCM_RIGHTS, and assigned to specified fd sets. This allows
> fd sets to be created per file with fds having, for example,
> different access rights. When QEMU needs to reopen a file with
> different access rights, it can search for a matching fd in the
> fd set. Fd sets also allow for easy tracking of fds per file,
> helping to prevent fd leaks.
>
> Support is also added to the block layer to allow QEMU to dup an
> fd from an fdset when the filename is of the /dev/fdset/nnn format,
> where nnn is the fd set ID.
>
> No new SELinux policy is required to prevent open of NFS files
> (files with type nfs_t). The virt_use_nfs boolean type simply
> needs to be set to false, and open will be prevented (and dup will
> be allowed). For example:
>
> # setsebool virt_use_nfs 0
> # getsebool virt_use_nfs
> virt_use_nfs --> off
>
> Corey Bryant (7):
> qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg
> qapi: Introduce add-fd, remove-fd, query-fdsets
> monitor: Clean up fd sets on monitor disconnect
> block: Prevent detection of /dev/fdset/ as floppy
> block: Convert open calls to qemu_open
> block: Convert close calls to qemu_close
> block: Enable qemu_open/close to work with fd sets
>
> block/raw-posix.c | 46 +++++----
> block/raw-win32.c | 6 +-
> block/vdi.c | 5 +-
> block/vmdk.c | 25 ++---
> block/vpc.c | 4 +-
> block/vvfat.c | 16 +--
> cutils.c | 5 +
> monitor.c | 294 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> monitor.h | 5 +
> osdep.c | 117 +++++++++++++++++++++
> qapi-schema.json | 98 ++++++++++++++++++
> qemu-char.c | 12 ++-
> qemu-common.h | 2 +
> qemu-tool.c | 20 ++++
> qmp-commands.hx | 117 +++++++++++++++++++++
> savevm.c | 4 +-
> 16 files changed, 721 insertions(+), 55 deletions(-)
Apart from the few comments I made, I like this series. Maybe v9 will be
the last one. :-)
Kevin
next prev parent reply other threads:[~2012-08-10 16:36 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-10 2:10 [Qemu-devel] [PATCH v8 0/7] file descriptor passing using fd sets Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 1/7] qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 2/7] qapi: Introduce add-fd, remove-fd, query-fdsets Corey Bryant
2012-08-10 5:57 ` Eric Blake
2012-08-10 13:01 ` Corey Bryant
2012-08-10 7:20 ` Stefan Hajnoczi
2012-08-10 14:21 ` Corey Bryant
2012-08-10 16:08 ` Kevin Wolf
2012-08-10 16:41 ` Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 3/7] monitor: Clean up fd sets on monitor disconnect Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 4/7] block: Prevent detection of /dev/fdset/ as floppy Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 5/7] block: Convert open calls to qemu_open Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 6/7] block: Convert close calls to qemu_close Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 7/7] block: Enable qemu_open/close to work with fd sets Corey Bryant
2012-08-10 6:16 ` Eric Blake
2012-08-10 14:17 ` Corey Bryant
2012-08-10 15:25 ` Eric Blake
2012-08-10 15:44 ` Corey Bryant
2012-08-10 16:34 ` Kevin Wolf
2012-08-10 16:56 ` Corey Bryant
2012-08-10 17:03 ` Corey Bryant
2012-08-10 16:36 ` Kevin Wolf [this message]
2012-08-10 16:57 ` [Qemu-devel] [PATCH v8 0/7] file descriptor passing using " Corey Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50253888.7070100@redhat.com \
--to=kwolf@redhat.com \
--cc=aliguori@us.ibm.com \
--cc=coreyb@linux.vnet.ibm.com \
--cc=eblake@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=libvir-list@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).