Re: [libvirt] [Qemu-devel] live snapshot wiki updated
On Wed, Jul 20, 2011 at 11:28 AM, Daniel P. Berrange
<berrange(a)redhat.com> wrote:
On Wed, Jul 20, 2011 at 12:15:02PM +0200, Nicolas Sebrecht wrote:
> The 20/07/11, Daniel P. Berrange wrote:
>
> > To make the decision whether the filename from QEMU is valid, we have
> > to parse the master image header data to see if the filename actually
> > matches the backing file required by the image assigned to the guest.
>
> Actually, libvirt should not have to worry if the filename provided by
> QEMU is valid. I think it should trust QEMU. If QEMU doesn't provide
> information others can trust; it should be fixed at QEMU side.
The security goal of libvirt is to protect the host from a compromised
QEMU, therefore QEMU is, by definition, untrusted.
This is a very reasonable goal. QEMU is constantly dealing with the
untrusted guest. The whole point of SELinux isolation of QEMU is to
contain any compromise to a single VM and reduce the capabilities of
that process to the minimum.
libvirt needs to help set the boundaries of what the QEMU process can do.
Stefan