Re: [Qemu-devel] live snapshot wiki updated

[Cleber Rosa]

On 07/20/2011 10:34 AM, Anthony Liguori wrote:
> On 07/20/2011 08:50 AM, Cleber Rosa wrote:
> > Just as a reminder: with DAC, if a guest is compromised and somehow
> > escalates to QEMU, it could disable its isolation (ie, by setting their
> > own image files world readable). I guess we shouldn't try to fix the DAC
> > model, but fix what's preventing us from fully using MAC, even though
> > it's outside of QEMU.
>
> I don't see how a guest making its data world readable is a 
> fundamental problem.

Well, if we're discussing security models and how to provide the best 
isolation we can to VMs/QEMU instances, then a VM being able to read (or 
even write) data of another VM *is* a fundamental problem. "setting 
their own imagine files world readable" is just one example of how that 
could be accomplished.

> DAC is a fundamental part of the Unix design and is something that 
> administrators understand very well.

That's is a true sentence, but it does not make DAC the most appropriate 
solution here.

>   I completely understand the value of MAC but to argue that we 
> shouldn't present DAC as an option I think is fundamentally wrong.

I never said, and really don't think we shouldn't provide other security 
options/models, this is actually part of the well accepted "security in 
multiple layers" strategy.

I did assume, though, we were aiming for the best isolation level, and 
that is definitely MAC. DAC may indeed be good enough for some, but 
definitely not good enough for many others.

CR.

> Regards,
>
> Anthony Liguori
>
> > CR.
> >
> > > Regards,
> > >
> > > Anthony Liguori