On 01/28/2010 12:04 PM, Michael S. Tsirkin wrote:
On Thu, Jan 28, 2010 at 11:58:48AM -0600, Anthony Liguori wrote:
On 01/28/2010 10:37 AM, Michael S. Tsirkin wrote:
So actually, this is an interesting argument in favor of
turning disablenetwork from per-process as it is now
to per-file.
Yup. I think we really need a file-based restriction mechanism and so
far, neither disablenetwork or network namespace seems to do that.
I think you might be able to mitigate this with SELinux since I'm fairly
certain it can prevent SCM_RIGHTS but SELinux is not something that can
be enforced within a set of applications so we'd be relying on SELinux
being enabled (honestly, unlikely) and the policy being correctly
configured (unlikely in the general case at least).
Regards,
Anthony Liguori
I am not convinced SELinux being disabled is a problem we necessarily
need to deal with, and qemu does not verify e.g. that it is not run as
root either. A more serious problem IMO is that SCM_RIGHTS might be
needed for some other functionality.
It would mean that libvirt is insecure unless SELinux is enabled.
That's a pretty fundamental flaw IMHO.
At any rate, I think we both agree that we need to figure out a
solution, so that's good :-)
Regards,
Anthony Liguori
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html