On 07/20/11 11:36, Daniel P. Berrange wrote: > On Wed, Jul 20, 2011 at 10:23:12AM +0200, Jes Sorensen wrote: >> Pardon, but I fail to see the issue here. If QEMU passes a filename back >> to libvirt, libvirt still gets to make the decision whether or not it is >> legitimate for QEMU to get that file descriptor or not. It doesn't >> change anything wrt who actually opens the file, hence the 'trust' is >> unchanged. > > To make the decision whether the filename from QEMU is valid, we have > to parse the master image header data to see if the filename actually > matches the backing file required by the image assigned to the guest. Sorry but that doesn't make any sense. In other words, if someone hacks an image and makes it point to a different file, you are going to allow the backing file to be opened just because it is listed in the image? If this is really the approach you are suggesting, it seems to me the whole 'do not allow random opens on NFS' security thing has gone out the window. To the best of my understanding, the whole idea with selinux attributes was to be able to specify which files are allowed to be opened by a given process. Mapping this to the libvirt model, it should mean libvirt ought to carry a positive list of files that are allowed to be opened, rather than relying on what might be written to an image file. Jes -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list