* Daniel P. Berrangé (berra...@redhat.com) wrote: > On Fri, Aug 23, 2019 at 03:09:48PM +0100, Dr. David Alan Gilbert wrote: > > * Marc-André Lureau (marcandre.lur...@gmail.com) wrote: > > > Hi > > > > > > On Fri, Aug 23, 2019 at 5:00 PM Dr. David Alan Gilbert > > > <dgilb...@redhat.com> wrote: > > > > > > > > * Daniel P. Berrangé (berra...@redhat.com) wrote: > > > > > > > > <snip> > > > > > > > > > This means QEMU still has to iterate over every single client > > > > > on the bus to identify them. If you're doing that, there's > > > > > no point in owning a well known service at all. Just iterate > > > > > over the unique bus names and look for the exported object > > > > > path /org/qemu/VMState > > > > > > > > > > > > > Not knowing anything about DBus security, I want to ask how do > > > > we handle security here? > > > > > > First of all, we are talking about cooperative processes, and having a > > > specific bus for each qemu instance. So some amount of security/trust > > > is already assumed. > > > > Some but we need to keep it as limited as possible; for example two > > reasons for having separate processes both come down to security: > > > > a) vtpm - however screwy the qemu is, you can never get to the keys in > > the vtpm > > Processes connected to dbus can only call the DBus APIs that vtpm > actually exports. The vtpm should simply *not* export a DBus > API that allows anything to fetch the keys. > > If it did want to export APIs for fetching keys, then we would > have to ensure suitable dbus /selinux policy was created to > prevent unwarranted access.
This was really just one example of where the security/trust isn't assumed; however a more concrete case is migration of a vtpm, and even though it's probably encrypted blob you still don't want some other device to grab the migration data - or to say reinitialise the vtpm. > > b) virtio-gpu, loads of complex GPU code that can't break the main > > qemu process. > > That's no problem - virtio-gpu crashes, it disappears from the dbus > bus, but everything else keeps running. Crashing is the easy case; assume it's malicious and you don't want it getting to say a storage device provided by another vhost-user device. > > > But if necessary, dbus can enforce policies on who is allowed to own a > > > name, or to send/receive message from. As far as I know, this is > > > mostly user/group policies. > > > > > > But there is also SELinux checks to send_msg and acquire_svc (see > > > dbus-daemon(1)) > > > > But how does something like SELinux interact with a private dbus > > rather than the system dbus? > > There's already two dbus-daemon's on each host - the system one and > the session one, and they get different selinux contexts, > system_dbus_t and unconfined_dbus_t. > > Since libvirt would be responsible for launching these private dbus > daemons it would be easy to make it run svirt_dbus_t for example. > Actually it would be svirt_dbus_t:s0:cNNN,cMMM to get uniqueness > per VM. > > Will of course require us to talk to the SELinux maintainers to > get some sensible policy rules created. This all relies on SELinux and running privileged qemu/vhost-user pairs; needing to do that purely to enforce security seems wrong. Dave > > > > I want to know that the external device that's giving me migration data > > > > is the device I think I'm speaking to, not one of the other devices; > > > > > > DBus is not the problem nor the solution here. > > > > Well, if the migration data was squirting down the existing vhost-user > > channel then there would be no risk here; so the use of dbus is creating > > the problem. > > > > > But what defines that device-service strong relationship? Can you > > > generalize it? I don't think so. > > > > > > What DBus can guarantee is that the unique-id you are talking to is > > > always the same connection (thus the same process). > > > > > > > I also dont want different devices chatting to each other over dbus > > > > unless we're very careful. > > > > > > That's a bus policy job. > > > > OK, as long as you somehow set it up. > > > > Dave > > > > > > > > > > Dave > > > > > > > > > Regards, > > > > > Daniel > > > > > -- > > > > > |: https://berrange.com -o- > > > > > https://www.flickr.com/photos/dberrange :| > > > > > |: https://libvirt.org -o- > > > > > https://fstop138.berrange.com :| > > > > > |: https://entangle-photo.org -o- > > > > > https://www.instagram.com/dberrange :| > > > > -- > > > > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK > > > > > > > > > > > > > -- > > > Marc-André Lureau > > -- > > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK