[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the c
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess |
Date: |
Wed, 27 Mar 2019 16:37:19 +0000 |
User-agent: |
Mutt/1.11.3 (2019-02-01) |
On Tue, Mar 26, 2019 at 10:31:53AM -0400, Jag Raman wrote:
>
>
> On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote:
> > On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote:
> > > On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:
> > > > > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <address@hidden> wrote:
> > > > > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:
> > > > > > On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote:
> > > > > > > On Wed, Mar 06, 2019 at 11:22:53PM -0800, address@hidden wrote:
> > > > > > > > diff --git a/docs/devel/qemu-multiprocess.txt
> > > > > > > > b/docs/devel/qemu-multiprocess.txt
> > > > > > > > new file mode 100644
> > > > > > > > index 0000000..e29c6c8
> > > > > > > > --- /dev/null
> > > > > > > > +++ b/docs/devel/qemu-multiprocess.txt
> > > > > > >
> > > > > > > Thanks for this document and the interesting work that you are
> > > > > > > doing.
> > > > > > > I'd like to discuss the security advantages gained by
> > > > > > > disaggregating
> > > > > > > QEMU in more detail.
> > > > > > >
> > > > > > > The security model for VMs managed by libvirt (most production
> > > > > > > x86, ppc,
> > > > > > > s390 guests) is that the QEMU process is untrusted and only has
> > > > > > > access
> > > > > > > to resources belonging to the guest. SELinux is used to restrict
> > > > > > > the
> > > > > > > process from accessing other files, processes, etc on the host.
> > > > > >
> > > > > > NB it doesn't have to be SELinux. Libvirt also supports AppArmor and
> > > > > > can even do isolation with traditional DAC by putting each QEMU
> > > > > > under
> > > > > > a distinct UID/GID and having libvirtd set ownership on resources
> > > > > > each
> > > > > > VM is permitted to use.
> > > > > >
> > > > > > > QEMU does not hold privileged resources that must be kept away
> > > > > > > from the
> > > > > > > guest. An escaped guest can access its image file, tap file
> > > > > > > descriptor,
> > > > > > > etc but they are the same resources it could already access via
> > > > > > > device
> > > > > > > emulation.
> > > > > > >
> > > > > > > Can you give specific examples of how disaggregation improves
> > > > > > > security?
> > > > >
> > > > > Elena & collaborators: Dan has posted some ideas but please share
> > > > > yours
> > > > > so the security benefits of this patch series can be better
> > > > > understood.
> > > > >
> > > >
> > > > Dan covered the main point. The security regime we use
> > > > (selinux)
> > > > constrains the actions of processes on objects, so having multiple
> > > > processes
> > > > allows us to apply more fine-grained policies.
> > >
> > > Please share the SELinux policy files, containerization scripts, etc.
> > > There is probably a home for them in qemu.git, libvirt.git, or elsewhere
> > > upstream.
> > >
> > > We need to find a way to make the sandboxing improvements available to
> > > users besides yourself and easily reusable for developers who wish to
> > > convert additional device models.
> >
> > Ping?
> >
> > Without the scripts/policies there is no security benefit from this
> > patch series.
>
> Hi Stefan,
>
> We are working on this. We'll get back to you once we have this
> available.
Great, thanks!
Stefan
signature.asc
Description: PGP signature
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, (continued)
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Stefan Hajnoczi, 2019/03/07
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, John G Johnson, 2019/03/07
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Stefan Hajnoczi, 2019/03/08
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Stefan Hajnoczi, 2019/03/26
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Jag Raman, 2019/03/26
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Philippe Mathieu-Daudé, 2019/03/26
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess,
Stefan Hajnoczi <=
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Daniel P . Berrangé, 2019/03/11
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, John G Johnson, 2019/03/21
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Daniel P . Berrangé, 2019/03/22