qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the c

From: Jag Raman
Subject: Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Date: Tue, 26 Mar 2019 10:31:53 -0400
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 


On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote:

On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote:

On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:

On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <address@hidden> wrote:
On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:

On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:

On Wed, Mar 06, 2019 at 11:22:53PM -0800, address@hidden wrote:

diff --git a/docs/devel/qemu-multiprocess.txt b/docs/devel/qemu-multiprocess.txt
new file mode 100644
index 0000000..e29c6c8
--- /dev/null
+++ b/docs/devel/qemu-multiprocess.txt


Thanks for this document and the interesting work that you are doing.
I'd like to discuss the security advantages gained by disaggregating
QEMU in more detail.

The security model for VMs managed by libvirt (most production x86, ppc,
s390 guests) is that the QEMU process is untrusted and only has access
to resources belonging to the guest.  SELinux is used to restrict the
process from accessing other files, processes, etc on the host.


NB it doesn't have to be SELinux. Libvirt also supports AppArmor and
can even do isolation with traditional DAC by putting each QEMU under
a distinct UID/GID and having libvirtd set ownership on resources each
VM is permitted to use.


QEMU does not hold privileged resources that must be kept away from the
guest.  An escaped guest can access its image file, tap file descriptor,
etc but they are the same resources it could already access via device
emulation.

Can you give specific examples of how disaggregation improves security?


Elena & collaborators: Dan has posted some ideas but please share yours
so the security benefits of this patch series can be better understood.



        Dan covered the main point.  The security regime we use (selinux)
constrains the actions of processes on objects, so having multiple processes
allows us to apply more fine-grained policies.


Please share the SELinux policy files, containerization scripts, etc.
There is probably a home for them in qemu.git, libvirt.git, or elsewhere
upstream.

We need to find a way to make the sandboxing improvements available to
users besides yourself and easily reusable for developers who wish to
convert additional device models.


Ping?

Without the scripts/policies there is no security benefit from this
patch series.


Hi Stefan,

We are working on this. We'll get back to you once we have this
available.

Thanks!
--
Jag



Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]