|
From: | Jag Raman |
Subject: | Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess |
Date: | Tue, 26 Mar 2019 10:31:53 -0400 |
User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote:
On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote:On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <address@hidden> wrote: On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:On Wed, Mar 06, 2019 at 11:22:53PM -0800, address@hidden wrote:diff --git a/docs/devel/qemu-multiprocess.txt b/docs/devel/qemu-multiprocess.txt new file mode 100644 index 0000000..e29c6c8 --- /dev/null +++ b/docs/devel/qemu-multiprocess.txtThanks for this document and the interesting work that you are doing. I'd like to discuss the security advantages gained by disaggregating QEMU in more detail. The security model for VMs managed by libvirt (most production x86, ppc, s390 guests) is that the QEMU process is untrusted and only has access to resources belonging to the guest. SELinux is used to restrict the process from accessing other files, processes, etc on the host.NB it doesn't have to be SELinux. Libvirt also supports AppArmor and can even do isolation with traditional DAC by putting each QEMU under a distinct UID/GID and having libvirtd set ownership on resources each VM is permitted to use.QEMU does not hold privileged resources that must be kept away from the guest. An escaped guest can access its image file, tap file descriptor, etc but they are the same resources it could already access via device emulation. Can you give specific examples of how disaggregation improves security?Elena & collaborators: Dan has posted some ideas but please share yours so the security benefits of this patch series can be better understood.Dan covered the main point. The security regime we use (selinux) constrains the actions of processes on objects, so having multiple processes allows us to apply more fine-grained policies.Please share the SELinux policy files, containerization scripts, etc. There is probably a home for them in qemu.git, libvirt.git, or elsewhere upstream. We need to find a way to make the sandboxing improvements available to users besides yourself and easily reusable for developers who wish to convert additional device models.Ping? Without the scripts/policies there is no security benefit from this patch series.
Hi Stefan, We are working on this. We'll get back to you once we have this available. Thanks! -- Jag
Stefan
[Prev in Thread] | Current Thread | [Next in Thread] |