On Fri, May 04, 2012 at 11:28:47AM +0800, Zhi Yong Wu wrote: > On Tue, May 1, 2012 at 11:31 PM, Stefan Hajnoczi > <stefanha@xxxxxxxxxxxxxxxxxx> wrote: > > Libvirt can take advantage of SELinux to restrict the QEMU process and prevent > > it from opening files that it should not have access to. This improves > > security because it prevents the attacker from escaping the QEMU process if > > they manage to gain control. > > > > NFS has been a pain point for SELinux because it does not support labels (which > > I believe are stored in extended attributes). In other words, it's not > > possible to use SELinux goodness on QEMU when image files are located on NFS. > > Today we have to allow QEMU access to any file on the NFS export rather than > > restricting specifically to the image files that the guest requires. > > > > File descriptor passing is a solution to this problem and might also come in > > handy elsewhere. Libvirt or another external process chooses files which QEMU > > is allowed to access and provides just those file descriptors - QEMU cannot > > open the files itself. > > > > This series adds the -open-hook-fd command-line option. Whenever QEMU needs to > > open an image file it sends a request over the given UNIX domain socket. The > > response includes the file descriptor or an errno on failure. Please see the > > patches for details on the protocol. > > > > The -open-hook-fd approach allows QEMU to support file descriptor passing > > without changing -drive. It also supports snapshot_blkdev and other commands > By the way, How will it support them? The problem with snapshot_blkdev is that closing a file and opening a new file cannot be done by the QEMU process when an SELinux policy is in place to prevent opening files. The -open-hook-fd approach works even when the QEMU process is not allowed to open files since file descriptor passing over a UNIX domain socket is used to open files on behalf of QEMU. Stefan -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list