On Thu, Jan 28, 2010 at 11:58:48AM -0600, Anthony Liguori wrote: > On 01/28/2010 10:37 AM, Michael S. Tsirkin wrote: >> So actually, this is an interesting argument in favor of >> turning disablenetwork from per-process as it is now >> to per-file. >> > > Yup. I think we really need a file-based restriction mechanism and so > far, neither disablenetwork or network namespace seems to do that. > > I think you might be able to mitigate this with SELinux since I'm fairly > certain it can prevent SCM_RIGHTS but SELinux is not something that can > be enforced within a set of applications so we'd be relying on SELinux > being enabled (honestly, unlikely) and the policy being correctly > configured (unlikely in the general case at least). > > Regards, > > Anthony Liguori I am not convinced SELinux being disabled is a problem we necessarily need to deal with, and qemu does not verify e.g. that it is not run as root either. A more serious problem IMO is that SCM_RIGHTS might be needed for some other functionality. >> >>> Regards, >>> >>> Anthony Liguori >>> >>> >>>>> Regards, >>>>> >>>>> Anthony Liguori >>>>> >>>>> -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
