On Tue, Feb 24, 2015 at 09:30:56AM -0700, Eric Blake wrote:
On 02/24/2015 02:50 AM, Wen Congyang wrote:
Script files are in general very hard to secure. Libvirt marks any
domain that uses a script file for controlling networking as tainted,
because it cannot guarantee that the script did not do arbitrary
actions. Can you come up with any better solution that does not require
a script file, such as having management software responsible for
passing in an already-opened fd?
Do you mean that opening the script in libvirt?
No, I mean a solution that needs no script file at all. Have libvirt
pre-open the TAP device you will need, then pass in the fd that will be
used for the colo NIC.
Agreed, we really must not add new features that require executing
arbitrary blackbox shell scripts to QEMU, when we know that reslts in
a flawed security model. And just pushing the script execution upto
libvirt is not really a satisfactory solution either.