qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the c

From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Date: Tue, 26 Mar 2019 08:08:22 +0000
User-agent: Mutt/1.11.3 (2019-02-01) 
On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote:
> On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:
> > > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <address@hidden> wrote:
> > > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:
> > >> On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:
> > >>> On Wed, Mar 06, 2019 at 11:22:53PM -0800, address@hidden wrote:
> > >>>> diff --git a/docs/devel/qemu-multiprocess.txt 
> > >>>> b/docs/devel/qemu-multiprocess.txt
> > >>>> new file mode 100644
> > >>>> index 0000000..e29c6c8
> > >>>> --- /dev/null
> > >>>> +++ b/docs/devel/qemu-multiprocess.txt
> > >>> 
> > >>> Thanks for this document and the interesting work that you are doing.
> > >>> I'd like to discuss the security advantages gained by disaggregating
> > >>> QEMU in more detail.
> > >>> 
> > >>> The security model for VMs managed by libvirt (most production x86, ppc,
> > >>> s390 guests) is that the QEMU process is untrusted and only has access
> > >>> to resources belonging to the guest.  SELinux is used to restrict the
> > >>> process from accessing other files, processes, etc on the host.
> > >> 
> > >> NB it doesn't have to be SELinux. Libvirt also supports AppArmor and
> > >> can even do isolation with traditional DAC by putting each QEMU under
> > >> a distinct UID/GID and having libvirtd set ownership on resources each
> > >> VM is permitted to use.
> > >> 
> > >>> QEMU does not hold privileged resources that must be kept away from the
> > >>> guest.  An escaped guest can access its image file, tap file descriptor,
> > >>> etc but they are the same resources it could already access via device
> > >>> emulation.
> > >>> 
> > >>> Can you give specific examples of how disaggregation improves security?
> > > 
> > > Elena & collaborators: Dan has posted some ideas but please share yours
> > > so the security benefits of this patch series can be better understood.
> > > 
> > 
> >     Dan covered the main point.  The security regime we use (selinux)
> > constrains the actions of processes on objects, so having multiple processes
> > allows us to apply more fine-grained policies.
> 
> Please share the SELinux policy files, containerization scripts, etc.
> There is probably a home for them in qemu.git, libvirt.git, or elsewhere
> upstream.
> 
> We need to find a way to make the sandboxing improvements available to
> users besides yourself and easily reusable for developers who wish to
> convert additional device models.

Ping?

Without the scripts/policies there is no security benefit from this
patch series.

Stefan

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]