On 07/20/11 11:36, Daniel P. Berrange wrote:
On Wed, Jul 20, 2011 at 10:23:12AM +0200, Jes Sorensen wrote:
> Pardon, but I fail to see the issue here. If QEMU passes a filename back
> to libvirt, libvirt still gets to make the decision whether or not it is
> legitimate for QEMU to get that file descriptor or not. It doesn't
> change anything wrt who actually opens the file, hence the 'trust' is
> unchanged.
To make the decision whether the filename from QEMU is valid, we have
to parse the master image header data to see if the filename actually
matches the backing file required by the image assigned to the guest.
Sorry but that doesn't make any sense. In other words, if someone hacks
an image and makes it point to a different file, you are going to allow
the backing file to be opened just because it is listed in the image?
If this is really the approach you are suggesting, it seems to me the
whole 'do not allow random opens on NFS' security thing has gone out the
window.
To the best of my understanding, the whole idea with selinux attributes
was to be able to specify which files are allowed to be opened by a
given process. Mapping this to the libvirt model, it should mean libvirt
ought to carry a positive list of files that are allowed to be opened,
rather than relying on what might be written to an image file.
Jes