On Thu, Jan 28, 2010 at 01:57:33PM -0600, Anthony Liguori wrote: > On 01/28/2010 12:04 PM, Michael S. Tsirkin wrote: >> On Thu, Jan 28, 2010 at 11:58:48AM -0600, Anthony Liguori wrote: >> >>> On 01/28/2010 10:37 AM, Michael S. Tsirkin wrote: >>> >>>> So actually, this is an interesting argument in favor of >>>> turning disablenetwork from per-process as it is now >>>> to per-file. >>>> >>>> >>> Yup. I think we really need a file-based restriction mechanism and so >>> far, neither disablenetwork or network namespace seems to do that. >>> >>> I think you might be able to mitigate this with SELinux since I'm fairly >>> certain it can prevent SCM_RIGHTS but SELinux is not something that can >>> be enforced within a set of applications so we'd be relying on SELinux >>> being enabled (honestly, unlikely) and the policy being correctly >>> configured (unlikely in the general case at least). >>> >>> Regards, >>> >>> Anthony Liguori >>> >> I am not convinced SELinux being disabled is a problem we necessarily >> need to deal with, and qemu does not verify e.g. that it is not run as >> root either. A more serious problem IMO is that SCM_RIGHTS might be >> needed for some other functionality. >> > > It would mean that libvirt is insecure unless SELinux is enabled. > That's a pretty fundamental flaw IMHO. > > At any rate, I think we both agree that we need to figure out a > solution, so that's good :-) > > Regards, > > Anthony Liguori Yes, but I am still not sure the problem is real. Pls discuss on netdev. -- MST -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html