From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:38443)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1SPJfY-0004uL-Nf
	for qemu-devel@nongnu.org; Tue, 01 May 2012 16:27:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1SPJfW-0000hj-Jr
	for qemu-devel@nongnu.org; Tue, 01 May 2012 16:27:32 -0400
Received: from e39.co.us.ibm.com ([32.97.110.160]:60554)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aliguori@us.ibm.com>) id 1SPJfW-0000h9-CU
	for qemu-devel@nongnu.org; Tue, 01 May 2012 16:27:30 -0400
Received: from /spool/local
	by e39.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <aliguori@us.ibm.com>;
	Tue, 1 May 2012 14:27:25 -0600
Received: from d03relay05.boulder.ibm.com (d03relay05.boulder.ibm.com
	[9.17.195.107])
	by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id A87B13E40055
	for <qemu-devel@nongnu.org>; Tue,  1 May 2012 14:26:53 -0600 (MDT)
Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168])
	by d03relay05.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q41KPifn248770
	for <qemu-devel@nongnu.org>; Tue, 1 May 2012 14:25:46 -0600
Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1])
	by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id q41KPhVh030570
	for <qemu-devel@nongnu.org>; Tue, 1 May 2012 14:25:44 -0600
Message-ID: <4FA046C6.5080909@us.ibm.com>
Date: Tue, 01 May 2012 15:25:42 -0500
From: Anthony Liguori <aliguori@us.ibm.com>
MIME-Version: 1.0
References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com>
In-Reply-To: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC 0/5] block: File descriptor passing using
	-open-hook-fd
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Cc: Kevin Wolf <kwolf@redhat.com>, libvir-list@redhat.com, Corey Bryant <coreyb@linux.vnet.ibm.com>, qemu-devel@nongnu.org

Thanks for sending this out Stefan.

On 05/01/2012 10:31 AM, Stefan Hajnoczi wrote:
> Libvirt can take advantage of SELinux to restrict the QEMU process and prevent
> it from opening files that it should not have access to.  This improves
> security because it prevents the attacker from escaping the QEMU process if
> they manage to gain control.
>
> NFS has been a pain point for SELinux because it does not support labels (which
> I believe are stored in extended attributes).  In other words, it's not
> possible to use SELinux goodness on QEMU when image files are located on NFS.
> Today we have to allow QEMU access to any file on the NFS export rather than
> restricting specifically to the image files that the guest requires.
>
> File descriptor passing is a solution to this problem and might also come in
> handy elsewhere.  Libvirt or another external process chooses files which QEMU
> is allowed to access and provides just those file descriptors - QEMU cannot
> open the files itself.
>
> This series adds the -open-hook-fd command-line option.  Whenever QEMU needs to
> open an image file it sends a request over the given UNIX domain socket.  The
> response includes the file descriptor or an errno on failure.  Please see the
> patches for details on the protocol.
>
> The -open-hook-fd approach allows QEMU to support file descriptor passing
> without changing -drive.  It also supports snapshot_blkdev and other commands
> that re-open image files.
>
> Anthony Liguori<aliguori@us.ibm.com>  wrote most of these patches.  I added a
> demo -open-hook-fd server and added some small fixes.  Since Anthony is
> traveling right now I'm sending the RFC for discussion.

What I like about this approach is that it's useful outside the block layer and 
is conceptionally simple from a QEMU PoV.  We simply delegate open() to libvirt 
and let libvirt enforce whatever rules it wants.

This is not meant to be an alternative to blockdev, but even with blockdev, I 
think we still want to use a mechanism like this even with blockdev.

Regards,

Anthony Liguori

>
> Anthony Liguori (3):
>    block: add open() wrapper that can be hooked by libvirt
>    block: add new command line parameter that and protocol description
>    block: plumb up open-hook-fd option
>
> Stefan Hajnoczi (2):
>    osdep: add qemu_recvmsg() wrapper
>    Example -open-hook-fd server
>
>   block.c           |  107 ++++++++++++++++++++++++++++++++++++++
>   block.h           |    2 +
>   block/raw-posix.c |   18 +++----
>   block/raw-win32.c |    2 +-
>   block/vdi.c       |    2 +-
>   block/vmdk.c      |    6 +--
>   block/vpc.c       |    2 +-
>   block/vvfat.c     |    4 +-
>   block_int.h       |   12 +++++
>   osdep.c           |   46 +++++++++++++++++
>   qemu-common.h     |    2 +
>   qemu-options.hx   |   42 +++++++++++++++
>   test-fd-passing.c |  147 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>   vl.c              |    3 ++
>   14 files changed, 378 insertions(+), 17 deletions(-)
>   create mode 100644 test-fd-passing.c
>