Re: [libvirt] [PATCH v3] Added new attribute mount_security to filesystem element

This patch introduces new attribute to filesystem element to support customizable security for mount type. Valid mount_security are: passthrough and mapped. Usage:        <filesystem type='mount' mount_security='passthrough'>        <source dir='/export/to/guest'/>        <target dir='mount_tag'/>        </filesystem> Here is the detailed explanation on these security models: Security model: mapped ---------------------- Fileserver intercepts and maps all the file object create requests. Files on the fileserver will be created with Fileserver's user credentials and the client-user's credentials are stored in extended attributes. During getattr() server extracts the client-user's credentials from extended attributes and sends to the client. This adds a great deal of security in the cloud environments where the guest's(client) user space is kept completely isolated from host's user space. Security model : passthrough ---------------------------- In this security model, Fileserver passes down all requests to the underlying filesystem. File system objects on the fileserver will be created with client-user's credentials. This is done by setting setuid()/setgid() during creation or chmod/chown after file creation. At the end of create protocol request, files on the fileserver will be owned by cleint-user's uid/gid. This model mimic's current NFSv3 level of security. Note: This patch is based on Daniel's patch to support 9pfs. It shall be applied after applying Daniel's patch to support 9pfs. v3: - QEMU cmdline still uses security_model, changes done by mistake reverted. Signed-off-by: Harsh Prateek Bora <harsh(a)linux.vnet.ibm.com&gt; ---  docs/schemas/domain.rng |    6 ++++++  src/conf/domain_conf.c  |   29 +++++++++++++++++++++++++++--  src/conf/domain_conf.h  |   10 ++++++++++  src/qemu/qemu_conf.c    |    9 +++++++--  4 files changed, 50 insertions(+), 4 deletions(-)