On Wed, Jul 20, 2011 at 11:28 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Wed, Jul 20, 2011 at 12:15:02PM +0200, Nicolas Sebrecht wrote:
The 20/07/11, Daniel P. Berrange wrote:
To make the decision whether the filename from QEMU is valid, we have to parse the master image header data to see if the filename actually matches the backing file required by the image assigned to the guest.
Actually, libvirt should not have to worry if the filename provided by QEMU is valid. I think it should trust QEMU. If QEMU doesn't provide information others can trust; it should be fixed at QEMU side.
The security goal of libvirt is to protect the host from a compromised QEMU, therefore QEMU is, by definition, untrusted.
This is a very reasonable goal. QEMU is constantly dealing with the untrusted guest. The whole point of SELinux isolation of QEMU is to contain any compromise to a single VM and reduce the capabilities of that process to the minimum. libvirt needs to help set the boundaries of what the QEMU process can do. Stefan