From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:35038) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SV0z0-0006Pz-NF for qemu-devel@nongnu.org; Thu, 17 May 2012 09:43:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SV0yy-00070p-FY for qemu-devel@nongnu.org; Thu, 17 May 2012 09:43:10 -0400 Received: from e06smtp12.uk.ibm.com ([195.75.94.108]:56964) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SV0yy-0006yz-7i for qemu-devel@nongnu.org; Thu, 17 May 2012 09:43:08 -0400 Received: from /spool/local by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 17 May 2012 14:43:03 +0100 Received: from d06av05.portsmouth.uk.ibm.com (d06av05.portsmouth.uk.ibm.com [9.149.37.229]) by d06nrmr1507.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q4HDgTMI2445440 for ; Thu, 17 May 2012 14:42:29 +0100 Received: from d06av05.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av05.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q4HDgSHP008519 for ; Thu, 17 May 2012 07:42:29 -0600 Date: Thu, 17 May 2012 14:42:28 +0100 From: Stefan Hajnoczi Message-ID: <20120517134228.GA5079@stefanha-thinkpad.localdomain> References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Subject: Re: [Qemu-devel] [libvirt] [RFC 0/5] block: File descriptor passing using -open-hook-fd List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Zhi Yong Wu Cc: Kevin Wolf , libvir-list@redhat.com, Anthony Liguori , qemu-devel@nongnu.org On Fri, May 04, 2012 at 11:28:47AM +0800, Zhi Yong Wu wrote: > On Tue, May 1, 2012 at 11:31 PM, Stefan Hajnoczi > wrote: > > Libvirt can take advantage of SELinux to restrict the QEMU process and prevent > > it from opening files that it should not have access to.  This improves > > security because it prevents the attacker from escaping the QEMU process if > > they manage to gain control. > > > > NFS has been a pain point for SELinux because it does not support labels (which > > I believe are stored in extended attributes).  In other words, it's not > > possible to use SELinux goodness on QEMU when image files are located on NFS. > > Today we have to allow QEMU access to any file on the NFS export rather than > > restricting specifically to the image files that the guest requires. > > > > File descriptor passing is a solution to this problem and might also come in > > handy elsewhere.  Libvirt or another external process chooses files which QEMU > > is allowed to access and provides just those file descriptors - QEMU cannot > > open the files itself. > > > > This series adds the -open-hook-fd command-line option.  Whenever QEMU needs to > > open an image file it sends a request over the given UNIX domain socket.  The > > response includes the file descriptor or an errno on failure.  Please see the > > patches for details on the protocol. > > > > The -open-hook-fd approach allows QEMU to support file descriptor passing > > without changing -drive.  It also supports snapshot_blkdev and other commands > By the way, How will it support them? The problem with snapshot_blkdev is that closing a file and opening a new file cannot be done by the QEMU process when an SELinux policy is in place to prevent opening files. The -open-hook-fd approach works even when the QEMU process is not allowed to open files since file descriptor passing over a UNIX domain socket is used to open files on behalf of QEMU. Stefan