On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote: > On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote: > > > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <stefa...@redhat.com> wrote: > > > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote: > > >> On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote: > > >>> On Wed, Mar 06, 2019 at 11:22:53PM -0800, elena.ufimts...@oracle.com > > >>> wrote: > > >>>> diff --git a/docs/devel/qemu-multiprocess.txt > > >>>> b/docs/devel/qemu-multiprocess.txt > > >>>> new file mode 100644 > > >>>> index 0000000..e29c6c8 > > >>>> --- /dev/null > > >>>> +++ b/docs/devel/qemu-multiprocess.txt > > >>> > > >>> Thanks for this document and the interesting work that you are doing. > > >>> I'd like to discuss the security advantages gained by disaggregating > > >>> QEMU in more detail. > > >>> > > >>> The security model for VMs managed by libvirt (most production x86, ppc, > > >>> s390 guests) is that the QEMU process is untrusted and only has access > > >>> to resources belonging to the guest. SELinux is used to restrict the > > >>> process from accessing other files, processes, etc on the host. > > >> > > >> NB it doesn't have to be SELinux. Libvirt also supports AppArmor and > > >> can even do isolation with traditional DAC by putting each QEMU under > > >> a distinct UID/GID and having libvirtd set ownership on resources each > > >> VM is permitted to use. > > >> > > >>> QEMU does not hold privileged resources that must be kept away from the > > >>> guest. An escaped guest can access its image file, tap file descriptor, > > >>> etc but they are the same resources it could already access via device > > >>> emulation. > > >>> > > >>> Can you give specific examples of how disaggregation improves security? > > > > > > Elena & collaborators: Dan has posted some ideas but please share yours > > > so the security benefits of this patch series can be better understood. > > > > > > > Dan covered the main point. The security regime we use (selinux) > > constrains the actions of processes on objects, so having multiple processes > > allows us to apply more fine-grained policies. > > Please share the SELinux policy files, containerization scripts, etc. > There is probably a home for them in qemu.git, libvirt.git, or elsewhere > upstream. > > We need to find a way to make the sandboxing improvements available to > users besides yourself and easily reusable for developers who wish to > convert additional device models.
Ping? Without the scripts/policies there is no security benefit from this patch series. Stefan
signature.asc
Description: PGP signature
