On Fri, Dec 05, 2014 at 09:57:36AM -0700, Eric Blake wrote:
On 12/05/2014 04:18 AM, Daniel P. Berrange wrote:
> On Fri, Dec 05, 2014 at 12:12:46PM +0100, Michal Privoznik wrote:
>> From: Vasiliy Tolstov <v.tolstov(a)selfip.ru>
>>
>> If a user doesn't specify script in network type ethernet, assume
>> that he/she needs a simple tap device created by libvirt. This
>> commit does not need to run external script to create tap device
>> or add root to qemu process. Moreover, some functions need to be
>> mocked now for qemuxml2argvtest, e.g. virNetDevTapCreate() or
>> virNetDevSetOnline().
>
> Hmm, even if the user does provide a script, perhaps libvirt could
> create the TAP device *and* run the script itself. This would finally
> allow us to run QEMU unprivileged with type=ethernet in all cases.
> eg take QEMU entirely out of the picture for NIC setup
Don't we still have to mark things as tainted, and be careful that
executing an arbitrary script is not going to hose the host if a
less-privileged user (such as via fine-grained ACLs) passes a suspicious
script?
Well the choice of script path is constrained based on the privilege
required to define XML config. That is already effectively equivalent
to root, so I don't think we need be concerned about what the script
actually does from a security POV.
I'm still somewhat inclined to leave the config as "tainted" though,
simply because of the fact that the scripts are an opaque black box
that we don't have visiblity into. So they definitely have the
potential to screw up host or guest config in ways that people
responding to support tickets should be made aware of by the tainting
flag.
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|