On Mon, Sep 16, 2019 at 11:00:35AM +0100, Dr. David Alan Gilbert wrote: > (Copying in Stefan since he was looking at DBus for virtiofs) > > * Marc-André Lureau (marcandre.lur...@redhat.com) wrote: > > Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> > > --- > > docs/interop/dbus.rst | 73 ++++++++++++++++++++++++++++++++++++++++++ > > docs/interop/index.rst | 1 + > > 2 files changed, 74 insertions(+) > > create mode 100644 docs/interop/dbus.rst > > > > diff --git a/docs/interop/dbus.rst b/docs/interop/dbus.rst > > new file mode 100644 > > index 0000000000..c08f026edc > > --- /dev/null > > +++ b/docs/interop/dbus.rst > > @@ -0,0 +1,73 @@ > > +===== > > +D-Bus > > +===== > > + > > +Introduction > > +============ > > + > > +QEMU may be running with various helper processes involved: > > + - vhost-user* processes (gpu, virtfs, input, etc...) > > + - TPM emulation (or other devices) > > + - user networking (slirp) > > + - network services (DHCP/DNS, samba/ftp etc) > > + - background tasks (compression, streaming etc) > > + - client UI > > + - admin & cli > > + > > +Having several processes allows stricter security rules, as well as > > +greater modularity. > > + > > +While QEMU itself uses QMP as primary IPC (and Spice/VNC for remote > > +display), D-Bus is the de facto IPC of choice on Unix systems. The > > +wire format is machine friendly, good bindings exist for various > > +languages, and there are various tools available. > > + > > +Using a bus, helper processes can discover and communicate with each > > +other easily, without going through QEMU. The bus topology is also > > +easier to apprehend and debug than a mesh. However, it is wise to > > +consider the security aspects of it. > > + > > +Security > > +======== > > + > > +A QEMU D-Bus bus should be private to a single VM. Thus, only > > +cooperative tasks are running on the same bus to serve the VM. > > + > > +D-Bus, the protocol and standard, doesn't have mechanisms to enforce > > +security between peers once the connection is established. Peers may > > +have additional mechanisms to enforce security rules, based for > > +example on UNIX credentials. > > + > > +dbus-daemon can enforce various policies based on the UID/GID of the > > +processes that are connected to it. It is thus a good idea to run > > +helpers as different UID from QEMU and set appropriate policies (so > > +helper processes are only allowed to talk to qemu for example). > > + > > +For example, this allows only ``qemu`` user to talk to ``qemu-helper`` > > +``org.qemu.Helper1`` service: > > + > > +.. code:: xml > > + > > + <policy user="qemu"> > > + <allow send_destination="org.qemu.Helper1"/> > > + <allow receive_sender="org.qemu.Helper1"/> > > + </policy> > > + > > + <policy user="qemu-helper"> > > + <allow own="org.qemu.Helper1"/> > > + </policy> > > + > > + > > +dbus-daemon can also perfom SELinux checks based on the security > > +context of the source and the target. For example, ``virtiofs_t`` > > +could be allowed to send a message to ``svirt_t``, but ``virtiofs_t`` > > +wouldn't be allowed to send a message to ``virtiofs_t``. > > I think we need to start thinking about this more now rather than > 'can'. .
virtiofsd has two DBus interfaces: 1. org.qemu.Virtiofsd - the management interface We don't expect QEMU to communicate with this. Administrators or management tools will connect to this. 2. dbus-vmstate - we'll probably need this for live migration This is for QEMU<->vhost-user device backend communication. Stefan
signature.asc
Description: PGP signature