From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:57817) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SPKuE-0008Ly-A1 for qemu-devel@nongnu.org; Tue, 01 May 2012 17:46:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SPKuC-00061l-AF for qemu-devel@nongnu.org; Tue, 01 May 2012 17:46:45 -0400 Received: from e4.ny.us.ibm.com ([32.97.182.144]:52292) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SPKuC-00061G-4o for qemu-devel@nongnu.org; Tue, 01 May 2012 17:46:44 -0400 Received: from /spool/local by e4.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 1 May 2012 17:46:38 -0400 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id AC2EB38C805F for ; Tue, 1 May 2012 17:45:52 -0400 (EDT) Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q41Ljqgn094524 for ; Tue, 1 May 2012 17:45:52 -0400 Received: from d03av05.boulder.ibm.com (loopback [127.0.0.1]) by d03av05.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q41Ljp1W032072 for ; Tue, 1 May 2012 15:45:52 -0600 Message-ID: <4FA0598E.1040408@linux.vnet.ibm.com> Date: Tue, 01 May 2012 17:45:50 -0400 From: Corey Bryant MIME-Version: 1.0 References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com> <4FA046C6.5080909@us.ibm.com> In-Reply-To: <4FA046C6.5080909@us.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [RFC 0/5] block: File descriptor passing using -open-hook-fd List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: Kevin Wolf , libvir-list@redhat.com, Stefan Hajnoczi , qemu-devel@nongnu.org On 05/01/2012 04:25 PM, Anthony Liguori wrote: > Thanks for sending this out Stefan. > > On 05/01/2012 10:31 AM, Stefan Hajnoczi wrote: >> Libvirt can take advantage of SELinux to restrict the QEMU process and >> prevent >> it from opening files that it should not have access to. This improves >> security because it prevents the attacker from escaping the QEMU >> process if >> they manage to gain control. >> >> NFS has been a pain point for SELinux because it does not support >> labels (which >> I believe are stored in extended attributes). In other words, it's not >> possible to use SELinux goodness on QEMU when image files are located >> on NFS. >> Today we have to allow QEMU access to any file on the NFS export >> rather than >> restricting specifically to the image files that the guest requires. >> >> File descriptor passing is a solution to this problem and might also >> come in >> handy elsewhere. Libvirt or another external process chooses files >> which QEMU >> is allowed to access and provides just those file descriptors - QEMU >> cannot >> open the files itself. >> >> This series adds the -open-hook-fd command-line option. Whenever QEMU >> needs to >> open an image file it sends a request over the given UNIX domain >> socket. The >> response includes the file descriptor or an errno on failure. Please >> see the >> patches for details on the protocol. >> >> The -open-hook-fd approach allows QEMU to support file descriptor passing >> without changing -drive. It also supports snapshot_blkdev and other >> commands >> that re-open image files. >> >> Anthony Liguori wrote most of these patches. I >> added a >> demo -open-hook-fd server and added some small fixes. Since Anthony is >> traveling right now I'm sending the RFC for discussion. > > What I like about this approach is that it's useful outside the block > layer and is conceptionally simple from a QEMU PoV. We simply delegate > open() to libvirt and let libvirt enforce whatever rules it wants. > > This is not meant to be an alternative to blockdev, but even with > blockdev, I think we still want to use a mechanism like this even with > blockdev. > > Regards, > > Anthony Liguori > I like it too and I think it's a better solution than the fd: protocol approach. I think (correct me if I'm wrong) libvirt should be aware of any file that qemu asks it to open. So from a security point of view, libvirt can prevent opening a file if it isn't affiliated with the guest. -- Regards, Corey >> >> Anthony Liguori (3): >> block: add open() wrapper that can be hooked by libvirt >> block: add new command line parameter that and protocol description >> block: plumb up open-hook-fd option >> >> Stefan Hajnoczi (2): >> osdep: add qemu_recvmsg() wrapper >> Example -open-hook-fd server >> >> block.c | 107 ++++++++++++++++++++++++++++++++++++++ >> block.h | 2 + >> block/raw-posix.c | 18 +++---- >> block/raw-win32.c | 2 +- >> block/vdi.c | 2 +- >> block/vmdk.c | 6 +-- >> block/vpc.c | 2 +- >> block/vvfat.c | 4 +- >> block_int.h | 12 +++++ >> osdep.c | 46 +++++++++++++++++ >> qemu-common.h | 2 + >> qemu-options.hx | 42 +++++++++++++++ >> test-fd-passing.c | 147 >> +++++++++++++++++++++++++++++++++++++++++++++++++++++ >> vl.c | 3 ++ >> 14 files changed, 378 insertions(+), 17 deletions(-) >> create mode 100644 test-fd-passing.c >> > >