[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for pas
From: |
M. Mohan Kumar |
Subject: |
Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model |
Date: |
Mon, 12 Sep 2011 19:45:04 +0530 |
User-agent: |
KMail/1.13.7 (Linux/2.6.40-4.fc15.x86_64; KDE/4.6.5; x86_64; ; ) |
On Tuesday, September 06, 2011 08:18:22 PM Stefan Hajnoczi wrote:
> A virtfs feature that needs root therefore needs to be in a separate
> process. Either QEMU needs to fork or virtfs could use a separate
> daemon binary.
>
> You have already implemented the fork approach in the chroot patches.
> Handle-based open could work in the same way.
>
> To summarize this architecture: all path-related operations are
> performed by a separate privileged process. File descriptors are passed
> to QEMU over a UNIX domain socket. This way QEMU can do the actual
> read(2)/write(2) calls directly to/from guest memory.
>
> I think it would be nice to build a completely separate binary that QEMU
> connects to. The separate binary would have a much smaller footprint
> (doesn't include QEMU code). More importantly the
> privileged/unprivileged boundary would be simple and could be
> automatically set up by libvirt:
>
Hi Stefan,
Thanks for your inputs. Sorry for the delayed reply.
> $ sudo namespace_helper --sock /var/run/virtfs/1234.sock --export my_dir/
> $ qemu -fsdev local,id=my_fs,namespace_helper=/var/run/virtfs/1234.sock \
> -device virtio-9p-pci,fsdev=my_fs
We already isolated all path related operations in a privileged process.
Should we add this complexity? If we take this approach, for handle based
filesystem driver, we need to ship another binary. Won't it be an usability
issue for people who use qemu directly?
- [Qemu-devel] [PATCH V12 11/15] hw/9pfs: chmod in chroot environment, (continued)
- [Qemu-devel] [PATCH V12 11/15] hw/9pfs: chmod in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 04/15] hw/9pfs: qemu interfaces for chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 05/15] hw/9pfs: Support for opening a file in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 02/15] hw/9pfs: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 01/15] Implement qemu_read_full, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 06/15] hw/9pfs: Create support in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 03/15] hw/9pfs: Provide chroot worker side interfaces, M. Mohan Kumar, 2011/09/05
- Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model, Stefan Hajnoczi, 2011/09/06