Hi On Mon, Sep 16, 2019 at 5:15 PM Dr. David Alan Gilbert <dgilb...@redhat.com> wrote: > > * Marc-André Lureau (marcandre.lur...@gmail.com) wrote: > > Hi > > > > On Mon, Sep 16, 2019 at 2:02 PM Dr. David Alan Gilbert > > <dgilb...@redhat.com> wrote: > > > > > > (Copying in Stefan since he was looking at DBus for virtiofs) > > > > > > * Marc-André Lureau (marcandre.lur...@redhat.com) wrote: > > > > Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> > > > > --- > > > > docs/interop/dbus.rst | 73 ++++++++++++++++++++++++++++++++++++++++++ > > > > docs/interop/index.rst | 1 + > > > > 2 files changed, 74 insertions(+) > > > > create mode 100644 docs/interop/dbus.rst > > > > > > > > diff --git a/docs/interop/dbus.rst b/docs/interop/dbus.rst > > > > new file mode 100644 > > > > index 0000000000..c08f026edc > > > > --- /dev/null > > > > +++ b/docs/interop/dbus.rst > > > > @@ -0,0 +1,73 @@ > > > > +===== > > > > +D-Bus > > > > +===== > > > > + > > > > +Introduction > > > > +============ > > > > + > > > > +QEMU may be running with various helper processes involved: > > > > + - vhost-user* processes (gpu, virtfs, input, etc...) > > > > + - TPM emulation (or other devices) > > > > + - user networking (slirp) > > > > + - network services (DHCP/DNS, samba/ftp etc) > > > > + - background tasks (compression, streaming etc) > > > > + - client UI > > > > + - admin & cli > > > > + > > > > +Having several processes allows stricter security rules, as well as > > > > +greater modularity. > > > > + > > > > +While QEMU itself uses QMP as primary IPC (and Spice/VNC for remote > > > > +display), D-Bus is the de facto IPC of choice on Unix systems. The > > > > +wire format is machine friendly, good bindings exist for various > > > > +languages, and there are various tools available. > > > > + > > > > +Using a bus, helper processes can discover and communicate with each > > > > +other easily, without going through QEMU. The bus topology is also > > > > +easier to apprehend and debug than a mesh. However, it is wise to > > > > +consider the security aspects of it. > > > > + > > > > +Security > > > > +======== > > > > + > > > > +A QEMU D-Bus bus should be private to a single VM. Thus, only > > > > +cooperative tasks are running on the same bus to serve the VM. > > > > + > > > > +D-Bus, the protocol and standard, doesn't have mechanisms to enforce > > > > +security between peers once the connection is established. Peers may > > > > +have additional mechanisms to enforce security rules, based for > > > > +example on UNIX credentials. > > > > + > > > > +dbus-daemon can enforce various policies based on the UID/GID of the > > > > +processes that are connected to it. It is thus a good idea to run > > > > +helpers as different UID from QEMU and set appropriate policies (so > > > > +helper processes are only allowed to talk to qemu for example). > > > > + > > > > +For example, this allows only ``qemu`` user to talk to ``qemu-helper`` > > > > +``org.qemu.Helper1`` service: > > > > + > > > > +.. code:: xml > > > > + > > > > + <policy user="qemu"> > > > > + <allow send_destination="org.qemu.Helper1"/> > > > > + <allow receive_sender="org.qemu.Helper1"/> > > > > + </policy> > > > > + > > > > + <policy user="qemu-helper"> > > > > + <allow own="org.qemu.Helper1"/> > > > > + </policy> > > > > + > > > > + > > > > +dbus-daemon can also perfom SELinux checks based on the security > > > > +context of the source and the target. For example, ``virtiofs_t`` > > > > +could be allowed to send a message to ``svirt_t``, but ``virtiofs_t`` > > > > +wouldn't be allowed to send a message to ``virtiofs_t``. > > > > > > I think we need to start thinking about this more now rather than > > > 'can'. . > > > > Do you have a specific question we can answer or guide for qemu? Is > > there something we have to document or implement? > > > > Since qemu is not managing the extra processes or applying policies, I > > don't know what else could be done. From qemu pov, it can rely on > > management layer to trust the bus and the helpers, similar to trusting > > the system in general. > > Well pretty much the same questions I asked in the discussion on v2; > what is the supported configuration to ensure that one helper that's > been compromised can't attack the others and qemu?
I thought I gave the answer to that question above. What is missing? I don't think one can generalize it here, it will be a case by case for each helper, how they interact with each other and qemu. > > Dave > > > > Dave > > > > > > > +Guidelines > > > > +========== > > > > + > > > > +When implementing new D-Bus interfaces, it is recommended to follow > > > > +the "D-Bus API Design Guidelines": > > > > +https://dbus.freedesktop.org/doc/dbus-api-design.html > > > > + > > > > +The "org.qemu*" prefix is reserved for the QEMU project. > > > > diff --git a/docs/interop/index.rst b/docs/interop/index.rst > > > > index b4bfcab417..fa4478ce2e 100644 > > > > --- a/docs/interop/index.rst > > > > +++ b/docs/interop/index.rst > > > > @@ -13,6 +13,7 @@ Contents: > > > > :maxdepth: 2 > > > > > > > > bitmaps > > > > + dbus > > > > live-block-operations > > > > pr-helper > > > > vhost-user > > > > -- > > > > 2.23.0 > > > > > > > -- > > > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK > > > > > > > > > -- > > Marc-André Lureau > -- > Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK -- Marc-André Lureau