On Thu, May 17, 2012 at 9:42 PM, Stefan Hajnoczi <stefanha@xxxxxxxxxxxxxxxxxx> wrote: > On Fri, May 04, 2012 at 11:28:47AM +0800, Zhi Yong Wu wrote: >> On Tue, May 1, 2012 at 11:31 PM, Stefan Hajnoczi >> <stefanha@xxxxxxxxxxxxxxxxxx> wrote: >> > Libvirt can take advantage of SELinux to restrict the QEMU process and prevent >> > it from opening files that it should not have access to. This improves >> > security because it prevents the attacker from escaping the QEMU process if >> > they manage to gain control. >> > >> > NFS has been a pain point for SELinux because it does not support labels (which >> > I believe are stored in extended attributes). In other words, it's not >> > possible to use SELinux goodness on QEMU when image files are located on NFS. >> > Today we have to allow QEMU access to any file on the NFS export rather than >> > restricting specifically to the image files that the guest requires. >> > >> > File descriptor passing is a solution to this problem and might also come in >> > handy elsewhere. Libvirt or another external process chooses files which QEMU >> > is allowed to access and provides just those file descriptors - QEMU cannot >> > open the files itself. >> > >> > This series adds the -open-hook-fd command-line option. Whenever QEMU needs to >> > open an image file it sends a request over the given UNIX domain socket. The >> > response includes the file descriptor or an errno on failure. Please see the >> > patches for details on the protocol. >> > >> > The -open-hook-fd approach allows QEMU to support file descriptor passing >> > without changing -drive. It also supports snapshot_blkdev and other commands >> By the way, How will it support them? > > The problem with snapshot_blkdev is that closing a file and opening a > new file cannot be done by the QEMU process when an SELinux policy is in > place to prevent opening files. > > The -open-hook-fd approach works even when the QEMU process is not > allowed to open files since file descriptor passing over a UNIX domain > socket is used to open files on behalf of QEMU. I thought that the patchset can only let QEMU passively get passed fd parameter from upper application. > > Stefan > -- Regards, Zhi Yong Wu -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list