From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:43947) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCXlQ-0005yt-U8 for qemu-devel@nongnu.org; Mon, 04 Mar 2013 10:57:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UCXlM-0001Nq-4e for qemu-devel@nongnu.org; Mon, 04 Mar 2013 10:57:20 -0500 Received: from e9.ny.us.ibm.com ([32.97.182.139]:56362) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCXlM-0001NL-07 for qemu-devel@nongnu.org; Mon, 04 Mar 2013 10:57:16 -0500 Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Mar 2013 10:55:21 -0500 Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 1086238C804F for ; Mon, 4 Mar 2013 10:55:18 -0500 (EST) Received: from d01av05.pok.ibm.com (d01av05.pok.ibm.com [9.56.224.195]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r24FtHAh247936 for ; Mon, 4 Mar 2013 10:55:17 -0500 Received: from d01av05.pok.ibm.com (loopback [127.0.0.1]) by d01av05.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r24FtHcj020808 for ; Mon, 4 Mar 2013 10:55:17 -0500 Message-ID: <5134C3DE.4060409@linux.vnet.ibm.com> Date: Mon, 04 Mar 2013 10:55:10 -0500 From: Corey Bryant MIME-Version: 1.0 References: <512FF819.7050505@redhat.com> <87k3pqzy2y.fsf@codemonkey.ws> <513110D3.5030503@linux.vnet.ibm.com> <87d2vig75m.fsf@codemonkey.ws> <51311A13.6030205@redhat.com> <87r4jy90wt.fsf@codemonkey.ws> <51313660.5010001@redhat.com> <20130304102937.GB8123@redhat.com> In-Reply-To: <20130304102937.GB8123@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] virtio-rng and fd passing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: "qemu-devel@nongnu.org" , Anthony Liguori , Stefan Berger On 03/04/2013 05:29 AM, Daniel P. Berrange wrote: > On Fri, Mar 01, 2013 at 04:14:40PM -0700, Eric Blake wrote: >>> I understand the reason that fdsets exist (because NFS is stupid and >>> doesn't support labeling). But we aren't doing dynamic labeling of >>> /dev/random and I strongly suspect it's not on NFS anyway. >>> >>> So why are we trying to pass fds here? >> >> Consistency - how do you write a policy that allows open("/dev/random") >> while forbidding open("/nfs/...")? It's much simpler to forbid open(), >> even if /dev/random doesn't have any labeling issues. > > IIUC, it is actually pretty straightforward from a policy POV. Every > filesystem has a unique type, and SELinux can make rules scoped to that > filesystem type. That's how we have the 'virt_use_nfs' tunable already > which only affects NFS. > > Daniel > Yes it should be simple, at least for SELinux. I think all we need to do is remove open permission from the qemu process (svirt_t) on NFS files (files labeled with nfs_t). Here's what I see for base qemu permissions on NFS files on Fedora 18: $ sesearch -A -s svirt_t -t nfs_t | grep ": file" | grep open allow virt_domain nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; And I think 'setsebool -P virt_use_nfs 0' will remove the open permission, so this may already be covered. I'm not sure how easy it is for other MAC implementations. Last I checked AppArmor didn't have the granularity of preventing open and allowing read/write. -- Regards, Corey Bryant