From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: Kevin Wolf <kwolf@redhat.com>
Cc: aliguori@us.ibm.com, stefanha@linux.vnet.ibm.com,
libvir-list@redhat.com, qemu-devel@nongnu.org,
lcapitulino@redhat.com, pbonzini@redhat.com, eblake@redhat.com
Subject: Re: [Qemu-devel] [PATCH v8 0/7] file descriptor passing using fd sets
Date: Fri, 10 Aug 2012 12:57:45 -0400 [thread overview]
Message-ID: <50253D89.4090707@linux.vnet.ibm.com> (raw)
In-Reply-To: <50253888.7070100@redhat.com>
On 08/10/2012 12:36 PM, Kevin Wolf wrote:
> Am 10.08.2012 04:10, schrieb Corey Bryant:
>> libvirt's sVirt security driver provides SELinux MAC isolation for
>> Qemu guest processes and their corresponding image files. In other
>> words, sVirt uses SELinux to prevent a QEMU process from opening
>> files that do not belong to it.
>>
>> sVirt provides this support by labeling guests and resources with
>> security labels that are stored in file system extended attributes.
>> Some file systems, such as NFS, do not support the extended
>> attribute security namespace, and therefore cannot support sVirt
>> isolation.
>>
>> A solution to this problem is to provide fd passing support, where
>> libvirt opens files and passes file descriptors to QEMU. This,
>> along with SELinux policy to prevent QEMU from opening files, can
>> provide image file isolation for NFS files stored on the same NFS
>> mount.
>>
>> This patch series adds the add-fd, remove-fd, and query-fdsets
>> QMP monitor commands, which allow file descriptors to be passed
>> via SCM_RIGHTS, and assigned to specified fd sets. This allows
>> fd sets to be created per file with fds having, for example,
>> different access rights. When QEMU needs to reopen a file with
>> different access rights, it can search for a matching fd in the
>> fd set. Fd sets also allow for easy tracking of fds per file,
>> helping to prevent fd leaks.
>>
>> Support is also added to the block layer to allow QEMU to dup an
>> fd from an fdset when the filename is of the /dev/fdset/nnn format,
>> where nnn is the fd set ID.
>>
>> No new SELinux policy is required to prevent open of NFS files
>> (files with type nfs_t). The virt_use_nfs boolean type simply
>> needs to be set to false, and open will be prevented (and dup will
>> be allowed). For example:
>>
>> # setsebool virt_use_nfs 0
>> # getsebool virt_use_nfs
>> virt_use_nfs --> off
>>
>> Corey Bryant (7):
>> qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg
>> qapi: Introduce add-fd, remove-fd, query-fdsets
>> monitor: Clean up fd sets on monitor disconnect
>> block: Prevent detection of /dev/fdset/ as floppy
>> block: Convert open calls to qemu_open
>> block: Convert close calls to qemu_close
>> block: Enable qemu_open/close to work with fd sets
>>
>> block/raw-posix.c | 46 +++++----
>> block/raw-win32.c | 6 +-
>> block/vdi.c | 5 +-
>> block/vmdk.c | 25 ++---
>> block/vpc.c | 4 +-
>> block/vvfat.c | 16 +--
>> cutils.c | 5 +
>> monitor.c | 294 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>> monitor.h | 5 +
>> osdep.c | 117 +++++++++++++++++++++
>> qapi-schema.json | 98 ++++++++++++++++++
>> qemu-char.c | 12 ++-
>> qemu-common.h | 2 +
>> qemu-tool.c | 20 ++++
>> qmp-commands.hx | 117 +++++++++++++++++++++
>> savevm.c | 4 +-
>> 16 files changed, 721 insertions(+), 55 deletions(-)
>
> Apart from the few comments I made, I like this series. Maybe v9 will be
> the last one. :-)
Thanks, I hope so too!
--
Regards,
Corey
prev parent reply other threads:[~2012-08-10 16:58 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-10 2:10 [Qemu-devel] [PATCH v8 0/7] file descriptor passing using fd sets Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 1/7] qemu-char: Add MSG_CMSG_CLOEXEC flag to recvmsg Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 2/7] qapi: Introduce add-fd, remove-fd, query-fdsets Corey Bryant
2012-08-10 5:57 ` Eric Blake
2012-08-10 13:01 ` Corey Bryant
2012-08-10 7:20 ` Stefan Hajnoczi
2012-08-10 14:21 ` Corey Bryant
2012-08-10 16:08 ` Kevin Wolf
2012-08-10 16:41 ` Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 3/7] monitor: Clean up fd sets on monitor disconnect Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 4/7] block: Prevent detection of /dev/fdset/ as floppy Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 5/7] block: Convert open calls to qemu_open Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 6/7] block: Convert close calls to qemu_close Corey Bryant
2012-08-10 2:10 ` [Qemu-devel] [PATCH v8 7/7] block: Enable qemu_open/close to work with fd sets Corey Bryant
2012-08-10 6:16 ` Eric Blake
2012-08-10 14:17 ` Corey Bryant
2012-08-10 15:25 ` Eric Blake
2012-08-10 15:44 ` Corey Bryant
2012-08-10 16:34 ` Kevin Wolf
2012-08-10 16:56 ` Corey Bryant
2012-08-10 17:03 ` Corey Bryant
2012-08-10 16:36 ` [Qemu-devel] [PATCH v8 0/7] file descriptor passing using " Kevin Wolf
2012-08-10 16:57 ` Corey Bryant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50253D89.4090707@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=aliguori@us.ibm.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=lcapitulino@redhat.com \
--cc=libvir-list@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).