|
| From: | Anthony Liguori |
| Subject: | Re: [Qemu-devel] [RFC] Next gen kvm api |
| Date: | Tue, 07 Feb 2012 09:15:12 -0600 |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110922 Lightning/1.0b2 Thunderbird/3.1.15 |
On 02/07/2012 07:18 AM, Avi Kivity wrote:
On 02/07/2012 02:51 PM, Anthony Liguori wrote:On 02/07/2012 06:40 AM, Avi Kivity wrote:On 02/07/2012 02:28 PM, Anthony Liguori wrote:It's a potential source of exploits (from bugs in KVM or in hardware). I can see people wanting to be selective with access because of that.As is true of the rest of the kernel. If you want finer grain access control, that's exactly why we have things like LSM and SELinux. You can add the appropriate LSM hooks into the KVM infrastructure and setup default SELinux policies appropriately.LSMs protect objects, not syscalls. There isn't an object to protect here (except the fake /dev/kvm object).A VM can be an object.Not really, it's not accessible in a namespace. How would you label it?
Labels can originate from userspace, IIUC, so I think it's possible for QEMU (or whatever the userspace is) to set the label for the VM while it's creating it. I think this is how most of the labeling for X and things of that nature works.
Maybe Chris can set me straight.
Maybe we can reuse the process label/context (not sure what the right term is for a process).
Regards, Anthony Liguori
| [Prev in Thread] | Current Thread | [Next in Thread] |