[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [libvirt] live snapshot wiki updated
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [libvirt] live snapshot wiki updated |
Date: |
Wed, 20 Jul 2011 12:40:51 +0100 |
On Wed, Jul 20, 2011 at 11:28 AM, Daniel P. Berrange
<address@hidden> wrote:
> On Wed, Jul 20, 2011 at 12:15:02PM +0200, Nicolas Sebrecht wrote:
>> The 20/07/11, Daniel P. Berrange wrote:
>>
>> > To make the decision whether the filename from QEMU is valid, we have
>> > to parse the master image header data to see if the filename actually
>> > matches the backing file required by the image assigned to the guest.
>>
>> Actually, libvirt should not have to worry if the filename provided by
>> QEMU is valid. I think it should trust QEMU. If QEMU doesn't provide
>> information others can trust; it should be fixed at QEMU side.
>
> The security goal of libvirt is to protect the host from a compromised
> QEMU, therefore QEMU is, by definition, untrusted.
This is a very reasonable goal. QEMU is constantly dealing with the
untrusted guest. The whole point of SELinux isolation of QEMU is to
contain any compromise to a single VM and reduce the capabilities of
that process to the minimum.
libvirt needs to help set the boundaries of what the QEMU process can do.
Stefan
- Re: [Qemu-devel] live snapshot wiki updated, (continued)
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Eric Blake, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Daniel P. Berrange, 2011/07/19
- Re: [Qemu-devel] live snapshot wiki updated, Markus Armbruster, 2011/07/20
- Re: [Qemu-devel] live snapshot wiki updated, Jes Sorensen, 2011/07/20
- Re: [Qemu-devel] live snapshot wiki updated, Daniel P. Berrange, 2011/07/20
- [Qemu-devel] [libvirt] Re: live snapshot wiki updated, Nicolas Sebrecht, 2011/07/20
- Re: [Qemu-devel] [libvirt] Re: live snapshot wiki updated, Daniel P. Berrange, 2011/07/20
- Re: [Qemu-devel] [libvirt] live snapshot wiki updated,
Stefan Hajnoczi <=
- Message not available
- Message not available
- Message not available
- Re: [Qemu-devel] [libvirt] live snapshot wiki updated, Eric Blake, 2011/07/21
- Message not available
- Message not available
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/21
- Re: [Qemu-devel] live snapshot wiki updated, Blue Swirl, 2011/07/21
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/22
- Re: [Qemu-devel] live snapshot wiki updated, Blue Swirl, 2011/07/22
- Re: [Qemu-devel] live snapshot wiki updated, Kevin Wolf, 2011/07/22
- Re: [Qemu-devel] live snapshot wiki updated, Stefan Hajnoczi, 2011/07/22
- Re: [Qemu-devel] live snapshot wiki updated, Blue Swirl, 2011/07/22
- Re: [Qemu-devel] live snapshot wiki updated, Kevin Wolf, 2011/07/20
- Re: [Qemu-devel] live snapshot wiki updated, Daniel P. Berrange, 2011/07/20