Le mar. 26 mars 2019 15:34, Jag Raman <jag.ra...@oracle.com> a écrit :
> > > On 3/26/2019 4:08 AM, Stefan Hajnoczi wrote: > > On Fri, Mar 08, 2019 at 09:50:36AM +0000, Stefan Hajnoczi wrote: > >> On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote: > >>>> On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <stefa...@redhat.com> > wrote: > >>>> On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote: > >>>>> On Thu, Mar 07, 2019 at 02:26:09PM +0000, Stefan Hajnoczi wrote: > >>>>>> On Wed, Mar 06, 2019 at 11:22:53PM -0800, > elena.ufimts...@oracle.com wrote: > >>>>>>> diff --git a/docs/devel/qemu-multiprocess.txt > b/docs/devel/qemu-multiprocess.txt > >>>>>>> new file mode 100644 > >>>>>>> index 0000000..e29c6c8 > >>>>>>> --- /dev/null > >>>>>>> +++ b/docs/devel/qemu-multiprocess.txt > >>>>>> > >>>>>> Thanks for this document and the interesting work that you are > doing. > >>>>>> I'd like to discuss the security advantages gained by disaggregating > >>>>>> QEMU in more detail. > >>>>>> > >>>>>> The security model for VMs managed by libvirt (most production x86, > ppc, > >>>>>> s390 guests) is that the QEMU process is untrusted and only has > access > >>>>>> to resources belonging to the guest. SELinux is used to restrict > the > >>>>>> process from accessing other files, processes, etc on the host. > >>>>> > >>>>> NB it doesn't have to be SELinux. Libvirt also supports AppArmor and > >>>>> can even do isolation with traditional DAC by putting each QEMU under > >>>>> a distinct UID/GID and having libvirtd set ownership on resources > each > >>>>> VM is permitted to use. > >>>>> > >>>>>> QEMU does not hold privileged resources that must be kept away from > the > >>>>>> guest. An escaped guest can access its image file, tap file > descriptor, > >>>>>> etc but they are the same resources it could already access via > device > >>>>>> emulation. > >>>>>> > >>>>>> Can you give specific examples of how disaggregation improves > security? > >>>> > >>>> Elena & collaborators: Dan has posted some ideas but please share > yours > >>>> so the security benefits of this patch series can be better > understood. > >>>> > >>> > >>> Dan covered the main point. The security regime we use (selinux) > >>> constrains the actions of processes on objects, so having multiple > processes > >>> allows us to apply more fine-grained policies. > >> > >> Please share the SELinux policy files, containerization scripts, etc. > >> There is probably a home for them in qemu.git, libvirt.git, or elsewhere > >> upstream. > >> > >> We need to find a way to make the sandboxing improvements available to > >> users besides yourself and easily reusable for developers who wish to > >> convert additional device models. > Also for testing this series. > > > Ping? > > > > Without the scripts/policies there is no security benefit from this > > patch series. > > Hi Stefan, > > We are working on this. We'll get back to you once we have this > available. > > Thanks! > -- > Jag > > > > > Stefan > > > >
