Re: [PATCH v4 0/5] Per-guest configurable user/group for QEMU processes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Any comments about that?

Regards,
Marcelo

On Tue, Sep 11, 2012 at 02:13:38PM -0400, Corey Bryant wrote:
> Are there any other requirements that need to be taken care of to
> enable execution of QEMU guests under separate unprivileged user IDs
> (ie. DAC isolation)?
> 
> At this point, this patch series (Per-guest configurable user/group
> for QEMU processes) is upstream, allowing libvirt to execute guests
> under separate unprivileged user IDs.  Additionally, the QEMU bridge
> helper series is upstream, allowing QEMU to allocate a tap device
> and attach it to a bridge when run under an unprivileged user ID (http://www.redhat.com/archives/libvir-list/2012-August/msg00277.html).
> 
> Is there any other feature in QEMU that requires QEMU to be run as root?
> 
> -- 
> Regards,
> Corey
> 
> On 08/15/2012 06:10 PM, Marcelo Cerri wrote:
> >This is a v4 patch series that updates the libvirt's security driver mechanism to support per-guest configurable user and group for QEMU processes running together with other security drivers, such as SELinux and AppArmor.
> >
> >Marcelo Cerri (5):
> >   Internal refactory of data structures
> >   Multiple security drivers in XML data
> >   Update security layer to handle many security labels
> >   Support for multiple default security drivers in QEMU config
> >   Update the remote API
> >
> >  daemon/remote.c                                    |   63 ++++
> >  docs/formatdomain.html.in                          |   11 +-
> >  docs/schemas/capability.rng                        |   18 +-
> >  docs/schemas/domaincommon.rng                      |   30 ++-
> >  include/libvirt/libvirt.h.in                       |    2 +
> >  python/generator.py                                |    1 +
> >  src/conf/capabilities.c                            |   17 +-
> >  src/conf/capabilities.h                            |    6 +-
> >  src/conf/domain_audit.c                            |   14 +-
> >  src/conf/domain_conf.c                             |  343 +++++++++++++++-----
> >  src/conf/domain_conf.h                             |   20 +-
> >  src/driver.h                                       |    4 +
> >  src/libvirt.c                                      |   47 +++
> >  src/libvirt_private.syms                           |    5 +
> >  src/libvirt_public.syms                            |    1 +
> >  src/lxc/lxc_conf.c                                 |    8 +-
> >  src/lxc/lxc_controller.c                           |    8 +-
> >  src/lxc/lxc_driver.c                               |   11 +-
> >  src/lxc/lxc_process.c                              |   23 +-
> >  src/qemu/qemu.conf                                 |    6 +-
> >  src/qemu/qemu_conf.c                               |   38 ++-
> >  src/qemu/qemu_conf.h                               |    2 +-
> >  src/qemu/qemu_driver.c                             |  218 +++++++++++---
> >  src/qemu/qemu_process.c                            |   50 ++-
> >  src/remote/remote_driver.c                         |   46 +++
> >  src/remote/remote_protocol.x                       |   17 +-
> >  src/remote_protocol-structs                        |   11 +
> >  src/security/security_apparmor.c                   |  118 +++++--
> >  src/security/security_dac.c                        |  324 +++++++++++++++++--
> >  src/security/security_manager.c                    |  101 +++++--
> >  src/security/security_manager.h                    |    8 +-
> >  src/security/security_selinux.c                    |  263 +++++++++++-----
> >  src/security/security_stack.c                      |  237 +++++++++-----
> >  src/security/security_stack.h                      |   13 +
> >  src/test/test_driver.c                             |   11 +-
> >  .../qemuxml2argv-seclabel-dynamic-override.xml     |    4 +-
> >  .../qemuxml2argv-seclabel-dynamic.xml              |    2 +-
> >  37 files changed, 1653 insertions(+), 448 deletions(-)
> >
> >--
> >libvir-list mailing list
> >libvir-list@xxxxxxxxxx
> >https://www.redhat.com/mailman/listinfo/libvir-list
> >

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]