Am 08.06.2012 17:42, schrieb Corey Bryant: > libvirt's sVirt security driver provides SELinux MAC isolation for > Qemu guest processes and their corresponding image files. In other > words, sVirt uses SELinux to prevent a QEMU process from opening > files that do not belong to it. > > sVirt provides this support by labeling guests and resources with > security labels that are stored in file system extended attributes. > Some file systems, such as NFS, do not support the extended > attribute security namespace, and therefore cannot support sVirt > isolation. > > A solution to this problem is to provide fd passing support, where > libvirt opens files and passes file descriptors to QEMU. This, > along with SELinux policy to prevent QEMU from opening files, can > provide image file isolation for NFS files stored on the same NFS > mount. > > This patch series adds the passfd QMP monitor command, which allows > an fd to be passed via SCM_RIGHTS, and returns the received file > descriptor. Support is also added to the block layer to allow QEMU > to dup the fd when the filename is of the /dev/fd/X format. This > is useful if MAC policy prevents QEMU from opening specific types > of files. > > One nice thing about this approach is that no new SELinux policy is > required to prevent open of NFS files (files with type nfs_t). The > virt_use_nfs boolean type simply needs to be set to false, and open > will be prevented (and dup will be allowed). For example: > > # setsebool virt_use_nfs 0 > # getsebool virt_use_nfs > virt_use_nfs --> off > > Corey Bryant (4): > qapi: Convert getfd and closefd > qapi: Add passfd QMP command > osdep: Enable qemu_open to dup pre-opened fd > block: Convert open calls to qemu_open > > block/raw-posix.c | 18 +++++++++--------- > block/raw-win32.c | 4 ++-- > block/vdi.c | 5 +++-- > block/vmdk.c | 21 +++++++++------------ > block/vpc.c | 2 +- > block/vvfat.c | 21 +++++++++++---------- > hmp-commands.hx | 6 ++---- > hmp.c | 18 ++++++++++++++++++ > hmp.h | 2 ++ > monitor.c | 36 ++++++++++++++++++++---------------- > osdep.c | 13 +++++++++++++ > qapi-schema.json | 44 ++++++++++++++++++++++++++++++++++++++++++++ > qmp-commands.hx | 33 +++++++++++++++++++++++++++++---- > 13 files changed, 163 insertions(+), 60 deletions(-) Looks good to me. If Luiz is okay with the QMP part, I'm going to apply this to the block branch. Corey, please make sure to check the host_floppy problem and send a patch if necessary. Kevin -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list