From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:54982)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@linux.vnet.ibm.com>) id 1SVKaR-0008La-Oj
	for qemu-devel@nongnu.org; Fri, 18 May 2012 06:39:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@linux.vnet.ibm.com>) id 1SVKaL-0006ih-EA
	for qemu-devel@nongnu.org; Fri, 18 May 2012 06:39:07 -0400
Received: from e06smtp10.uk.ibm.com ([195.75.94.106]:52182)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@linux.vnet.ibm.com>) id 1SVKaL-0006iQ-5u
	for qemu-devel@nongnu.org; Fri, 18 May 2012 06:39:01 -0400
Received: from /spool/local
	by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <stefanha@linux.vnet.ibm.com>;
	Fri, 18 May 2012 11:38:57 +0100
Received: from d06av05.portsmouth.uk.ibm.com (d06av05.portsmouth.uk.ibm.com
	[9.149.37.229])
	by d06nrmr1507.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with
	ESMTP id q4IAcroE2580724
	for <qemu-devel@nongnu.org>; Fri, 18 May 2012 11:38:53 +0100
Received: from d06av05.portsmouth.uk.ibm.com (loopback [127.0.0.1])
	by d06av05.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with
	ESMTP id q4IAcrJI030256
	for <qemu-devel@nongnu.org>; Fri, 18 May 2012 04:38:53 -0600
Date: Fri, 18 May 2012 11:38:52 +0100
From: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Message-ID: <20120518103852.GC18026@stefanha-thinkpad.localdomain>
References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com>
	<CAEH94Li3YtGc_5cXQD-2AOPLAFOGa0Dzvi9Ehgn5gdPhbmGYfA@mail.gmail.com>
	<20120517134228.GA5079@stefanha-thinkpad.localdomain>
	<CAEH94LhEcxqbWKYaohRC7431pcGUFrVq+gxkgHhMH7RbibL9kA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAEH94LhEcxqbWKYaohRC7431pcGUFrVq+gxkgHhMH7RbibL9kA@mail.gmail.com>
Subject: Re: [Qemu-devel] [libvirt] [RFC 0/5] block: File descriptor passing
 using -open-hook-fd
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Zhi Yong Wu <zwu.kernel@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>, libvir-list@redhat.com, Anthony Liguori <aliguori@us.ibm.com>, qemu-devel@nongnu.org

On Thu, May 17, 2012 at 10:02:01PM +0800, Zhi Yong Wu wrote:
> On Thu, May 17, 2012 at 9:42 PM, Stefan Hajnoczi
> <stefanha@linux.vnet.ibm.com> wrote:
> > On Fri, May 04, 2012 at 11:28:47AM +0800, Zhi Yong Wu wrote:
> >> On Tue, May 1, 2012 at 11:31 PM, Stefan Hajnoczi
> >> <stefanha@linux.vnet.ibm.com> wrote:
> >> > Libvirt can take advantage of SELinux to restrict the QEMU process and prevent
> >> > it from opening files that it should not have access to.  This improves
> >> > security because it prevents the attacker from escaping the QEMU process if
> >> > they manage to gain control.
> >> >
> >> > NFS has been a pain point for SELinux because it does not support labels (which
> >> > I believe are stored in extended attributes).  In other words, it's not
> >> > possible to use SELinux goodness on QEMU when image files are located on NFS.
> >> > Today we have to allow QEMU access to any file on the NFS export rather than
> >> > restricting specifically to the image files that the guest requires.
> >> >
> >> > File descriptor passing is a solution to this problem and might also come in
> >> > handy elsewhere.  Libvirt or another external process chooses files which QEMU
> >> > is allowed to access and provides just those file descriptors - QEMU cannot
> >> > open the files itself.
> >> >
> >> > This series adds the -open-hook-fd command-line option.  Whenever QEMU needs to
> >> > open an image file it sends a request over the given UNIX domain socket.  The
> >> > response includes the file descriptor or an errno on failure.  Please see the
> >> > patches for details on the protocol.
> >> >
> >> > The -open-hook-fd approach allows QEMU to support file descriptor passing
> >> > without changing -drive.  It also supports snapshot_blkdev and other commands
> >> By the way, How will it support them?
> >
> > The problem with snapshot_blkdev is that closing a file and opening a
> > new file cannot be done by the QEMU process when an SELinux policy is in
> > place to prevent opening files.
> >
> > The -open-hook-fd approach works even when the QEMU process is not
> > allowed to open files since file descriptor passing over a UNIX domain
> > socket is used to open files on behalf of QEMU.
> I thought that the patchset can only let QEMU passively get passed fd
> parameter from upper application.

No.  What this patch series does is make QEMU request file descriptors
from an external process (e.g. libvirt) each time it wants to open an
image file.

Stefan