[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC] Next gen kvm api
|
From: |
Chris Wright |
|
Subject: |
Re: [Qemu-devel] [RFC] Next gen kvm api |
|
Date: |
Tue, 7 Feb 2012 10:28:28 -0800 |
|
User-agent: |
Mutt/1.5.21+46 (b01d63af6fea) (2011-07-01) |
* Anthony Liguori (address@hidden) wrote:
> On 02/07/2012 07:18 AM, Avi Kivity wrote:
> >On 02/07/2012 02:51 PM, Anthony Liguori wrote:
> >>On 02/07/2012 06:40 AM, Avi Kivity wrote:
> >>>On 02/07/2012 02:28 PM, Anthony Liguori wrote:
> >>>>
> >>>>>It's a potential source of exploits
> >>>>>(from bugs in KVM or in hardware). I can see people wanting to be
> >>>>>selective with access because of that.
> >>>>
> >>>>As is true of the rest of the kernel.
> >>>>
> >>>>If you want finer grain access control, that's exactly why we have things
> >>>>like
> >>>>LSM and SELinux. You can add the appropriate LSM hooks into the KVM
> >>>>infrastructure and setup default SELinux policies appropriately.
> >>>
> >>>LSMs protect objects, not syscalls. There isn't an object to protect here
> >>>(except the fake /dev/kvm object).
> >>
> >>A VM can be an object.
> >
> >Not really, it's not accessible in a namespace. How would you label it?
A VM, vcpu, etc are all objects. The labelling can be implicit based on
the security context of the process creating the object. You could create
simplistic rules such as a process may have the ability KVM__VM_CREATE
(this is roughly analogous to the PROC__EXECMEM policy control that
allows some processes to create executable writable memory mappings, or
SHM__CREATE for a process that can create a shared memory segment).
Adding some label mgmt to the object (add ->security and some callbacks to
do ->alloc/init/free), and then checks on the object itself would allow
for finer grained protection. If there was any VM lookup (although the
original example explicitly ties a process to a vm and a thread to a
vcpu) the finer grained check would certainly be useful to verify that
the process can access the VM.
> Labels can originate from userspace, IIUC, so I think it's possible for QEMU
> (or whatever the userspace is) to set the label for the VM while it's
> creating it. I think this is how most of the labeling for X and things of
> that nature works.
For X, the policy enforcement is done in the X server. There is
assistance from the kernel for doing policy server queries (can foo do
bar?), but it's up to the X server to actually care enough to ask and
then fail a request that doesn't comply. I'm not sure that's the model
here.
thanks,
-chris
- Re: [Qemu-devel] [RFC] Next gen kvm api, (continued)
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/16
- Re: [Qemu-devel] [RFC] Next gen kvm api, Anthony Liguori, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Anthony Liguori, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Anthony Liguori, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api,
Chris Wright <=
- Re: [Qemu-devel] [RFC] Next gen kvm api, Scott Wood, 2012/02/08
- Re: [Qemu-devel] [RFC] Next gen kvm api, Alan Cox, 2012/02/08
Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/03
- Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/03
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/05
- Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/06
- Re: [Qemu-devel] [RFC] Next gen kvm api, Anthony Liguori, 2012/02/06
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Anthony Liguori, 2012/02/07
- Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/07