Re: [libvirt] Fine grained Access Control in libVirt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, Dan

Would you explain the difference with sVirt?
The final goal sVirt seems same form me.
(for example, define many security domain etc in .te file.)

Or it just a little changes from sVirt implementation?

Thanks
Atsushi SAKAI


"Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:

> On Thu, Jan 15, 2009 at 02:39:20PM +0100, Konrad Eriksson1 wrote:
> > After some background research it doesn't look like anyone have taken on 
> > the task yet to add fine-grained access control to libVirt (only option 
> > right now is R/W or RO mode).
> > 
> > Desired is an addition to libVirt that enables access control on 
> > individual actions and data that can be accessed through the library API.
> > This could take the form of an AC-module that, based on the identity of 
> > the caller, checks each call and grants/denies access to carry out the 
> > action (could also take parameters in account) and optionally filter the 
> > return data.
> > The AC-module could then interface different backend AC solutions 
> > (SELinux, RBAC, ...) or alternatively implement an internal scheme.
> > 
> > When looking at the libvirt core and driver framework it seems promising 
> > to inject these kind of call-out hooks either in libvirt.c or between 
> > libvirt.c and the underlying drivers, by doing this AC will be enforced 
> > independent of if a local or remote call is done to libVirt.
> > 
> > I propose an approach to create an AC-module that conforms to the driver 
> > API in libVirt and to inject it in the call-path between libvirt.c and the 
> > driver(s) to enable the AC-module to inspect the call before sending it to 
> > the real driver.
> > Normal call path: user -> libvirt.c -> driver_x
> > AC-module injected in call path: user -> libvirt.c -> AC-module -> 
> > driver_x
> > 
> > By doing this it can be loaded/unloaded in run-time and also selectable 
> > what driver paths it should enforce (hypervisor(aka. driver), storage, 
> > network...).
> > The AC-module can also be made in different flavors for different AC 
> > backend (SELinux, RBAC, internal, ...) solutions and the appropriate 
> > AC-module could be loaded without needing re-compiling.
> > This approach would also leave a very small footprint in existing libvirt 
> > code (only need to inject AC-module driver after normal drivers has been 
> > loaded)
> 
> FYI, I had discussed the alternative approach with Konrad offlist
> prior to this thread. Namely, instead of having a driver, layered
> in, put a call to something like virCheckAccess() directly into
> libvirt.c replacing the RO checks. The complication with doing it
> this way, is deciding what information to pass to the virCheckAccess
> methods. Obviously the operation name, and then some context for
> the object to the be checked. Do we just pass the virDomainPtr
> in there. Might need the XML for a new domain create call. Might
> want the other virConnectPtr for a migrate call and so on. Seems
> like we'd quickly end up having to pass all possible params through
> to the virCheckAcces method. At which point it really just becomes
> simpler to layer in the checks via the driver API which already
> has access to all the neccessary bits of info.
> 
> So I think its reasonable to have MAC calls stacked into the driver
> API as Konrad illustrates above. The initial impl would just duplicate
> our existing RO checks, then we can consider other impls RBAC/SELinux
> etc
> 
> Daniel
> -- 
> |: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
> |: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
> |: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
> 
> --
> Libvir-list mailing list
> Libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list


--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]