On Wed, Jul 20, 2011 at 11:28 AM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > On Wed, Jul 20, 2011 at 12:15:02PM +0200, Nicolas Sebrecht wrote: >> The 20/07/11, Daniel P. Berrange wrote: >> >> > To make the decision whether the filename from QEMU is valid, we have >> > to parse the master image header data to see if the filename actually >> > matches the backing file required by the image assigned to the guest. >> >> Actually, libvirt should not have to worry if the filename provided by >> QEMU is valid. I think it should trust QEMU. If QEMU doesn't provide >> information others can trust; it should be fixed at QEMU side. > > The security goal of libvirt is to protect the host from a compromised > QEMU, therefore QEMU is, by definition, untrusted. This is a very reasonable goal. QEMU is constantly dealing with the untrusted guest. The whole point of SELinux isolation of QEMU is to contain any compromise to a single VM and reduce the capabilities of that process to the minimum. libvirt needs to help set the boundaries of what the QEMU process can do. Stefan -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list