On Thu, Apr 06, 2017 at 03:09:12PM +0300, Vasiliy Tolstov wrote:
2017-04-06 15:06 GMT+03:00 Vasiliy Tolstov
<v.tolstov(a)selfip.ru>:
>> We already have a fine grained access control system that can be used to
>> restrict feature access...
Also i don't think that libvirt access control have ability to deny
access based on function and payload. For example i need to deny for
some users ability to create domain with memory more then 10G or
network with type nat.
Trying todo that kind of config access control at the libvirt API level is
doomed to failure. The ability to pass in an XML document describing a
guest gives you privileges equivalent to root. There are so many ways you
can use the XML document give a guest access to host resources, that trying
to do access restrictions based on XML content is impractical. You are
inevitably going to miss the existance of certain XML features and thus think
you have a locked down system where in fact you've left plenty of backdoors to
exploit it. Every time QEMU or libvirt are upgraded new features are introduced
so again what you thought was secure may now suddenly be insecure. This is why
we explicitly don't expose this info to the access control framework. You need
to have a much higher level representation of the guest configuration data &
related resources in order to do practical access control on usage of
individual guest config features.
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://entangle-photo.org -o-
http://search.cpan.org/~danberr/ :|