On Wed, Mar 06, 2019 at 11:22:53PM -0800, elena.ufimtseva@oracle.com wrote:
> diff --git a/docs/devel/qemu-multiprocess.txt b/docs/devel/qemu-multiprocess.txt
> new file mode 100644
> index 0000000..e29c6c8
> --- /dev/null
> +++ b/docs/devel/qemu-multiprocess.txt

Thanks for this document and the interesting work that you are doing.
I'd like to discuss the security advantages gained by disaggregating
QEMU in more detail.

The security model for VMs managed by libvirt (most production x86, ppc,
s390 guests) is that the QEMU process is untrusted and only has access
to resources belonging to the guest.  SELinux is used to restrict the
process from accessing other files, processes, etc on the host.

QEMU does not hold privileged resources that must be kept away from the
guest.  An escaped guest can access its image file, tap file descriptor,
etc but they are the same resources it could already access via device
emulation.

Can you give specific examples of how disaggregation improves security?

Stefan