From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:36070) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCdLS-0000kH-Ic for qemu-devel@nongnu.org; Mon, 04 Mar 2013 16:55:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UCdLP-0008TX-Jf for qemu-devel@nongnu.org; Mon, 04 Mar 2013 16:54:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:30927) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UCdLP-0008SY-Bm for qemu-devel@nongnu.org; Mon, 04 Mar 2013 16:54:51 -0500 Message-ID: <51351811.3010204@redhat.com> Date: Mon, 04 Mar 2013 14:54:25 -0700 From: Eric Blake MIME-Version: 1.0 References: <512FF819.7050505@redhat.com> <87k3pqzy2y.fsf@codemonkey.ws> <513110D3.5030503@linux.vnet.ibm.com> <87d2vig75m.fsf@codemonkey.ws> <51311A13.6030205@redhat.com> <87r4jy90wt.fsf@codemonkey.ws> <51313660.5010001@redhat.com> <87vc9apt7r.fsf@codemonkey.ws> <513147E4.5030005@redhat.com> <87txouv6hp.fsf@codemonkey.ws> In-Reply-To: <87txouv6hp.fsf@codemonkey.ws> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----enig2BQOKMMDAIBLLKLBCPJWK" Subject: Re: [Qemu-devel] virtio-rng and fd passing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: "qemu-devel@nongnu.org" , Stefan Berger This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2BQOKMMDAIBLLKLBCPJWK Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 03/01/2013 08:13 PM, Anthony Liguori wrote: > Eric Blake writes: >=20 >> On 03/01/2013 04:59 PM, Anthony Liguori wrote: >>> I said this when seccomp was first introduced and I'll say it again. >>> blacklisting open() is a bad idea. DAC and MAC already exist and sol= ve >>> this problem. We've got filesystem namespaces too. >> >> Let's explore that idea a bit further. What happens if libvirt decide= s >> to create a new filesystem namespace for qemu, where libvirt unmounts >> all non-local filesystems, as well as any file system that does not >> support SELinux labeling. Then all remaining filesystems, seen by qem= u, >> will enforce SELinux semantics, and we can let qemu open() at will >> because the open will then be guarded by SELinux. The only remaining >> access is to files to the unmounted file systems, where fd passing fro= m >> libvirt bypasses the fact that qemu can't see the file system. I coul= d >> see that working, and it would still let us get rid of the selinux >> virt_use_nfs bool while still providing secure NFS out-of-the-box. An= d >> your argument is that virtio-rng should be pointed to a character >> device, never an NFS file, and therefore not using qemu_open() is no >> real loss because open() will not be blacklisted, just NFS file system= s. >> Okay, maybe that will work. >=20 > A simpler version would be to chroot the QEMU process but sure. chroot is escapable, but you are correct that there are indeed ways of restricting open() on certain filesystems without blacklisting all open() in general. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org ------enig2BQOKMMDAIBLLKLBCPJWK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRNRgRAAoJEKeha0olJ0Nq5cQIAKOvQxVTO8r7iqyaQysBFDcJ 5KnVjcz1AYWLFPKEevn/q9JCN7GOLFGYrQ3047I4abLRXra3S/hkBngstZOnTXSn kDEeOjcJqdY7PoDeonKiyfjIXzPUUMU/WyHoCI0Yswk1CZTY7kGqNC0WN9MrO+Vl ltn1Ybl3IVWlvvCieKs9OGA7H1MVFajjJK9C3iec+ioZ1g7wdDOwBXrJlRbk3aur 1RKQBsnfwF1mZbpX2nxbNqlbSOMSYtWWHedZWUbJaNHjdwJ6pvoKqS/Di3mbJ+xD rOle3YLsz3kdF7T2RoAQtT+eyTzndvEonjYStXkiJ8gLIQPTSag9T7R4ste/RI4= =tFWx -----END PGP SIGNATURE----- ------enig2BQOKMMDAIBLLKLBCPJWK--