On Wed, Mar 24, 2010 at 03:26:53PM +0000, Daniel P. Berrange wrote: > On Wed, Mar 24, 2010 at 04:01:37PM +0100, Joerg Roedel wrote: > > >> An approach like: "The files are owned and only readable by the same > > >> user that started the vm." might be a good start. So a user can measure > > >> its own guests and root can measure all of them. > > > > > > That's not how sVirt works. sVirt isolates a user's VMs from each > > > other, so if a guest breaks into qemu it can't break into other guests > > > owned by the same user. > > > > If a vm breaks into qemu it can access the host file system which is the > > bigger problem. In this case there is no isolation anymore. From that > > context it can even kill other VMs of the same user independent of a > > hypothetical /sys/kvm/. > > No it can't. With sVirt every single VM has a custom security label and > the policy only allows it access to disks / files with a matching label, > and prevents it attacking any other VMs or processes on the host. THis > confines the scope of any exploit in QEMU to those resources the admin > has explicitly assigned to the guest. Even better. So a guest which breaks out can't even access its own /sys/kvm/ directory. Perfect, it doesn't need that access anyway. Joerg -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
