On Tue, Mar 26, 2019 at 10:31:53AM -0400, Jag Raman wrote: > > > On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote: > > On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote: > > > On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote: > > > > > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <stefa...@redhat.com> > > > > > wrote: > > > > > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote: > > > > > > On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote: > > > > > > > On Wed, Mar 06, 2019 at 11:22:53PM -0800, > > > > > > > elena.ufimts...@oracle.com wrote: > > > > > > > > diff --git a/docs/devel/qemu-multiprocess.txt > > > > > > > > b/docs/devel/qemu-multiprocess.txt > > > > > > > > new file mode 100644 > > > > > > > > index 0000000..e29c6c8 > > > > > > > > --- /dev/null > > > > > > > > +++ b/docs/devel/qemu-multiprocess.txt > > > > > > > > > > > > > > Thanks for this document and the interesting work that you are > > > > > > > doing. > > > > > > > I'd like to discuss the security advantages gained by > > > > > > > disaggregating > > > > > > > QEMU in more detail. > > > > > > > > > > > > > > The security model for VMs managed by libvirt (most production > > > > > > > x86, ppc, > > > > > > > s390 guests) is that the QEMU process is untrusted and only has > > > > > > > access > > > > > > > to resources belonging to the guest. SELinux is used to restrict > > > > > > > the > > > > > > > process from accessing other files, processes, etc on the host. > > > > > > > > > > > > NB it doesn't have to be SELinux. Libvirt also supports AppArmor and > > > > > > can even do isolation with traditional DAC by putting each QEMU > > > > > > under > > > > > > a distinct UID/GID and having libvirtd set ownership on resources > > > > > > each > > > > > > VM is permitted to use. > > > > > > > > > > > > > QEMU does not hold privileged resources that must be kept away > > > > > > > from the > > > > > > > guest. An escaped guest can access its image file, tap file > > > > > > > descriptor, > > > > > > > etc but they are the same resources it could already access via > > > > > > > device > > > > > > > emulation. > > > > > > > > > > > > > > Can you give specific examples of how disaggregation improves > > > > > > > security? > > > > > > > > > > Elena & collaborators: Dan has posted some ideas but please share > > > > > yours > > > > > so the security benefits of this patch series can be better > > > > > understood. > > > > > > > > > > > > > Dan covered the main point. The security regime we use > > > > (selinux) > > > > constrains the actions of processes on objects, so having multiple > > > > processes > > > > allows us to apply more fine-grained policies. > > > > > > Please share the SELinux policy files, containerization scripts, etc. > > > There is probably a home for them in qemu.git, libvirt.git, or elsewhere > > > upstream. > > > > > > We need to find a way to make the sandboxing improvements available to > > > users besides yourself and easily reusable for developers who wish to > > > convert additional device models. > > > > Ping? > > > > Without the scripts/policies there is no security benefit from this > > patch series. > > Hi Stefan, > > We are working on this. We'll get back to you once we have this > available.
Great, thanks! Stefan
signature.asc
Description: PGP signature
