On Fri, Dec 05, 2014 at 09:57:36AM -0700, Eric Blake wrote: > On 12/05/2014 04:18 AM, Daniel P. Berrange wrote: > > On Fri, Dec 05, 2014 at 12:12:46PM +0100, Michal Privoznik wrote: > >> From: Vasiliy Tolstov <v.tolstov@xxxxxxxxx> > >> > >> If a user doesn't specify script in network type ethernet, assume > >> that he/she needs a simple tap device created by libvirt. This > >> commit does not need to run external script to create tap device > >> or add root to qemu process. Moreover, some functions need to be > >> mocked now for qemuxml2argvtest, e.g. virNetDevTapCreate() or > >> virNetDevSetOnline(). > > > > Hmm, even if the user does provide a script, perhaps libvirt could > > create the TAP device *and* run the script itself. This would finally > > allow us to run QEMU unprivileged with type=ethernet in all cases. > > eg take QEMU entirely out of the picture for NIC setup > > Don't we still have to mark things as tainted, and be careful that > executing an arbitrary script is not going to hose the host if a > less-privileged user (such as via fine-grained ACLs) passes a suspicious > script? Well the choice of script path is constrained based on the privilege required to define XML config. That is already effectively equivalent to root, so I don't think we need be concerned about what the script actually does from a security POV. I'm still somewhat inclined to leave the config as "tainted" though, simply because of the fact that the scripts are an opaque black box that we don't have visiblity into. So they definitely have the potential to screw up host or guest config in ways that people responding to support tickets should be made aware of by the tainting flag. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list