Joanna Rutkowska wrote:
Avi Kivity wrote:
On 12/07/2009 03:05 PM, Joanna Rutkowska wrote:
In particular, is
it possible to move the qemu from the host to one of the VMs? Perhaps to
have a separate copy of qemu for each VM? (ala Xen's stub-domains)
It should be fairly easy to place qemu in a guest. You would leave a
simple program on the host to communicate with kvm and pass any data
written by the guest to qemu running in another guest, and feed any
replies back to the guest.
But then you would need to have another qemu (on the host) to support
running this "qemu-VM", where we want to put the qemu, right?
It really offers no advantage. The security assumption should be that a
guest can break into qemu. If a guest can break out of qemu, putting it
in another qemu means that we still need to assume it can break out of
that qemu. The host should treat the qemu process as hostile and
constrain it by using things like -runas, -chroot, SELinux, and
containers. This is what most production systems do today. libvirt
certainly takes this approach.
That's not to say that we know for sure that a guest can break into
qemu, but designing around that assumption gives us MLS.
Regards,
Anthony Liguori
joanna.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html