Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess

[Philippe Mathieu-Daudé]

Le mar. 26 mars 2019 15:34, Jag Raman <address@hidden> a écrit :

>
>
> On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote:
> > On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote:
> >> On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:
> >>>> On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <address@hidden>
> wrote:
> >>>> On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:
> >>>>> On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:
> >>>>>> On Wed, Mar 06, 2019 at 11:22:53PM -0800,
> address@hidden wrote:
> >>>>>>> diff --git a/docs/devel/qemu-multiprocess.txt
> b/docs/devel/qemu-multiprocess.txt
> >>>>>>> new file mode 100644
> >>>>>>> index 0000000..e29c6c8
> >>>>>>> --- /dev/null
> >>>>>>> +++ b/docs/devel/qemu-multiprocess.txt
> >>>>>>
> >>>>>> Thanks for this document and the interesting work that you are
> doing.
> >>>>>> I'd like to discuss the security advantages gained by disaggregating
> >>>>>> QEMU in more detail.
> >>>>>>
> >>>>>> The security model for VMs managed by libvirt (most production x86,
> ppc,
> >>>>>> s390 guests) is that the QEMU process is untrusted and only has
> access
> >>>>>> to resources belonging to the guest.  SELinux is used to restrict
> the
> >>>>>> process from accessing other files, processes, etc on the host.
> >>>>>
> >>>>> NB it doesn't have to be SELinux. Libvirt also supports AppArmor and
> >>>>> can even do isolation with traditional DAC by putting each QEMU under
> >>>>> a distinct UID/GID and having libvirtd set ownership on resources
> each
> >>>>> VM is permitted to use.
> >>>>>
> >>>>>> QEMU does not hold privileged resources that must be kept away from
> the
> >>>>>> guest.  An escaped guest can access its image file, tap file
> descriptor,
> >>>>>> etc but they are the same resources it could already access via
> device
> >>>>>> emulation.
> >>>>>>
> >>>>>> Can you give specific examples of how disaggregation improves
> security?
> >>>>
> >>>> Elena & collaborators: Dan has posted some ideas but please share
> yours
> >>>> so the security benefits of this patch series can be better
> understood.
> >>>>
> >>>
> >>>     Dan covered the main point.  The security regime we use (selinux)
> >>> constrains the actions of processes on objects, so having multiple
> processes
> >>> allows us to apply more fine-grained policies.
> >>
> >> Please share the SELinux policy files, containerization scripts, etc.
> >> There is probably a home for them in qemu.git, libvirt.git, or elsewhere
> >> upstream.
> >>
> >> We need to find a way to make the sandboxing improvements available to
> >> users besides yourself and easily reusable for developers who wish to
> >> convert additional device models.
>

Also for testing this series.

>
> > Ping?
> >
> > Without the scripts/policies there is no security benefit from this
> > patch series.
>
> Hi Stefan,
>
> We are working on this. We'll get back to you once we have this
> available.
>
> Thanks!
> --
> Jag
>
> >
> > Stefan
> >
>
>