[Qemu-devel] KVM call agenda for Novemeber 22

[Qemu-devel] KVM call agenda for Novemeber 22

[Juan Quintela]

Hi

Please send in any agenda items you are interested in covering.

Later, Juan.

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[Anthony Liguori]

On 11/21/2011 10:00 AM, Juan Quintela wrote:
>
> Hi
>
> Please send in any agenda items you are interested in covering.

I'm technical on holiday this week so I won't be attending.

But as an FYI, I ran across seccomp-nurse[1] this weekend.  It more or less 
let's you write a python program to implement a userspace syscall whitelist.

I haven't looked at the code close enough yet, but I think the technique it uses 
is to create a companion thread along side the sandbox thread.  This thread only 
runs code in an area mapped read-only and presumably only uses thread local storage.

The companion thread isn't running in the sandbox, but has the same resources as 
the sandbox thread so it can essentially invoke syscalls on behalf of the 
sandbox thread.

It's seriously non-portable.  In fact, it only works on 32-bit x86 Linux right 
now.  But it's worth looking into.

[1] http://chdir.org/~nico/seccomp-nurse/

Regards,

Anthony Liguori

>
> Later, Juan.
>

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[Juan Quintela]

Juan Quintela <quintela@redhat.com> wrote:
> Hi
>
> Please send in any agenda items you are interested in covering.

As there is no topic for today, and Anthony just give us reading we
would cancel today call.

Happy hacking (and reading), Juan.

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[Stefan Hajnoczi]

On Tue, Nov 22, 2011 at 2:39 PM, Juan Quintela <quintela@redhat.com> wrote:
> Juan Quintela <quintela@redhat.com> wrote:
>> Hi
>>
>> Please send in any agenda items you are interested in covering.
>
> As there is no topic for today, and Anthony just give us reading we
> would cancel today call.
>
> Happy hacking (and reading), Juan.

I think Anthony was trying to provide some background for a QEMU/KVM
sandboxing discussion in today's call.  Let's see who is joining
because they may want to discuss sandboxing.

Stefan

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[Stefan Hajnoczi]

On Tue, Nov 22, 2011 at 3:00 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> On Tue, Nov 22, 2011 at 2:39 PM, Juan Quintela <quintela@redhat.com> wrote:
>> Juan Quintela <quintela@redhat.com> wrote:
>>> Hi
>>>
>>> Please send in any agenda items you are interested in covering.
>>
>> As there is no topic for today, and Anthony just give us reading we
>> would cancel today call.
>>
>> Happy hacking (and reading), Juan.
>
> I think Anthony was trying to provide some background for a QEMU/KVM
> sandboxing discussion in today's call.  Let's see who is joining
> because they may want to discuss sandboxing.

It's 10 minutes past now.  Please ignore my request :).

Stefan

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[王永博]

Does kvm has  the api like vmsafe to help cooperator  protect their product ?

2011/11/22 Juan Quintela <quintela@redhat.com>:
>
> Hi
>
> Please send in any agenda items you are interested in covering.
>
> Later, Juan.
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[Alex Jia]

Hi Yongbo,
I know VMsafe covers three main areas are Memory, Disk and Network
for securing the virtual environment, as far as I know, for kvm
security, we have similar security features or resource management
and control, for instance:

1. Host network isolation, configuring network interface for the host
and a separate network interface for the guest operating systems.

2. SELinux automatically stores and protect images on host

3. Secure remote management with libvirt such as using SSH tunnels,
using SASL authentication and encryption and using TLS for remote access

4. Using sVirt isolates virtual machines

5. With cgroups in RHEL6, you can restrict a set of tasks to a set of
resources, prevent denial-of-service situations in KVM environments,
and monitor resource use

6. Disk-image encryption is a technique aimed at protecting data at rest

7. Auditing the KVM virtualization host and guests

In addition, libvirt includes a pluggable framework for lock managers,
which hypervisor drivers can use to ensure safety for guest domain disks,
and potentially other resources.

Of course, I'm not a developer, I believe that virt developers can show
more security technique or features for virtualization to you.

Regards,
Alex


----- Original Message -----
From: "王永博" <wangyongbo90@gmail.com>
To: quintela@redhat.com
Cc: "Developers qemu-devel" <qemu-devel@nongnu.org>, "KVM devel mailing list" <kvm@vger.kernel.org>
Sent: Wednesday, November 23, 2011 9:44:39 AM
Subject: Re: [Qemu-devel] KVM call agenda for Novemeber 22

Does kvm has  the api like vmsafe to help cooperator  protect their product ?

2011/11/22 Juan Quintela <quintela@redhat.com>:
>
> Hi
>
> Please send in any agenda items you are interested in covering.
>
> Later, Juan.
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [Qemu-devel] KVM call agenda for Novemeber 22

[王永博]

Thank you !

2011/11/23 Alex Jia <ajia@redhat.com>:
> Hi Yongbo,
> I know VMsafe covers three main areas are Memory, Disk and Network
> for securing the virtual environment, as far as I know, for kvm
> security, we have similar security features or resource management
> and control, for instance:
>
> 1. Host network isolation, configuring network interface for the host
> and a separate network interface for the guest operating systems.
>
> 2. SELinux automatically stores and protect images on host
>
> 3. Secure remote management with libvirt such as using SSH tunnels,
> using SASL authentication and encryption and using TLS for remote access
>
> 4. Using sVirt isolates virtual machines
>
> 5. With cgroups in RHEL6, you can restrict a set of tasks to a set of
> resources, prevent denial-of-service situations in KVM environments,
> and monitor resource use
>
> 6. Disk-image encryption is a technique aimed at protecting data at rest
>
> 7. Auditing the KVM virtualization host and guests
>
> In addition, libvirt includes a pluggable framework for lock managers,
> which hypervisor drivers can use to ensure safety for guest domain disks,
> and potentially other resources.
>
> Of course, I'm not a developer, I believe that virt developers can show
> more security technique or features for virtualization to you.
>
> Regards,
> Alex
>
>
> ----- Original Message -----
> From: "王永博" <wangyongbo90@gmail.com>
> To: quintela@redhat.com
> Cc: "Developers qemu-devel" <qemu-devel@nongnu.org>, "KVM devel mailing list" <kvm@vger.kernel.org>
> Sent: Wednesday, November 23, 2011 9:44:39 AM
> Subject: Re: [Qemu-devel] KVM call agenda for Novemeber 22
>
> Does kvm has  the api like vmsafe to help cooperator  protect their product ?
>
> 2011/11/22 Juan Quintela <quintela@redhat.com>:
>>
>> Hi
>>
>> Please send in any agenda items you are interested in covering.
>>
>> Later, Juan.
>> --
>> To unsubscribe from this list: send the line "unsubscribe kvm" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
>