From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:42271) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SV1HS-0005iB-IP for qemu-devel@nongnu.org; Thu, 17 May 2012 10:02:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SV1HI-0005Zv-KN for qemu-devel@nongnu.org; Thu, 17 May 2012 10:02:14 -0400 Received: from mail-pb0-f45.google.com ([209.85.160.45]:56615) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SV1HI-0005Yz-A4 for qemu-devel@nongnu.org; Thu, 17 May 2012 10:02:04 -0400 Received: by pbbro12 with SMTP id ro12so3260353pbb.4 for ; Thu, 17 May 2012 07:02:02 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20120517134228.GA5079@stefanha-thinkpad.localdomain> References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com> <20120517134228.GA5079@stefanha-thinkpad.localdomain> Date: Thu, 17 May 2012 22:02:01 +0800 Message-ID: From: Zhi Yong Wu Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [libvirt] [RFC 0/5] block: File descriptor passing using -open-hook-fd List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Kevin Wolf , libvir-list@redhat.com, Anthony Liguori , qemu-devel@nongnu.org On Thu, May 17, 2012 at 9:42 PM, Stefan Hajnoczi wrote: > On Fri, May 04, 2012 at 11:28:47AM +0800, Zhi Yong Wu wrote: >> On Tue, May 1, 2012 at 11:31 PM, Stefan Hajnoczi >> wrote: >> > Libvirt can take advantage of SELinux to restrict the QEMU process and= prevent >> > it from opening files that it should not have access to. =A0This impro= ves >> > security because it prevents the attacker from escaping the QEMU proce= ss if >> > they manage to gain control. >> > >> > NFS has been a pain point for SELinux because it does not support labe= ls (which >> > I believe are stored in extended attributes). =A0In other words, it's = not >> > possible to use SELinux goodness on QEMU when image files are located = on NFS. >> > Today we have to allow QEMU access to any file on the NFS export rathe= r than >> > restricting specifically to the image files that the guest requires. >> > >> > File descriptor passing is a solution to this problem and might also c= ome in >> > handy elsewhere. =A0Libvirt or another external process chooses files = which QEMU >> > is allowed to access and provides just those file descriptors - QEMU c= annot >> > open the files itself. >> > >> > This series adds the -open-hook-fd command-line option. =A0Whenever QE= MU needs to >> > open an image file it sends a request over the given UNIX domain socke= t. =A0The >> > response includes the file descriptor or an errno on failure. =A0Pleas= e see the >> > patches for details on the protocol. >> > >> > The -open-hook-fd approach allows QEMU to support file descriptor pass= ing >> > without changing -drive. =A0It also supports snapshot_blkdev and other= commands >> By the way, How will it support them? > > The problem with snapshot_blkdev is that closing a file and opening a > new file cannot be done by the QEMU process when an SELinux policy is in > place to prevent opening files. > > The -open-hook-fd approach works even when the QEMU process is not > allowed to open files since file descriptor passing over a UNIX domain > socket is used to open files on behalf of QEMU. I thought that the patchset can only let QEMU passively get passed fd parameter from upper application. > > Stefan > --=20 Regards, Zhi Yong Wu