qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 0/2] Add dbus-vmstate

From: Dr. David Alan Gilbert
Subject: Re: [Qemu-devel] [PATCH v2 0/2] Add dbus-vmstate
Date: Fri, 23 Aug 2019 15:26:02 +0100
User-agent: Mutt/1.12.1 (2019-06-15) 
* Daniel P. Berrangé (address@hidden) wrote:
> On Fri, Aug 23, 2019 at 03:09:48PM +0100, Dr. David Alan Gilbert wrote:
> > * Marc-André Lureau (address@hidden) wrote:
> > > Hi
> > > 
> > > On Fri, Aug 23, 2019 at 5:00 PM Dr. David Alan Gilbert
> > > <address@hidden> wrote:
> > > >
> > > > * Daniel P. Berrangé (address@hidden) wrote:
> > > >
> > > > <snip>
> > > >
> > > > > This means QEMU still has to iterate over every single client
> > > > > on the bus to identify them. If you're doing that, there's
> > > > > no point in owning a well known service at all. Just iterate
> > > > > over the unique bus names and look for the exported object
> > > > > path /org/qemu/VMState
> > > > >
> > > >
> > > > Not knowing anything about DBus security, I want to ask how do
> > > > we handle security here?
> > > 
> > > First of all, we are talking about cooperative processes, and having a
> > > specific bus for each qemu instance. So some amount of security/trust
> > > is already assumed.
> > 
> > Some but we need to keep it as limited as possible; for example two
> > reasons for having separate processes both come down to security:
> > 
> >   a) vtpm - however screwy the qemu is, you can never get to the keys in
> > the vtpm
> 
> Processes connected to dbus can only call the DBus APIs that vtpm
> actually exports.  The vtpm should simply *not* export a DBus
> API that allows anything to fetch the keys.
> 
> If it did want to export APIs for fetching keys, then we would
> have to ensure suitable dbus /selinux policy was created to
> prevent unwarranted access.

This was really just one example of where the security/trust isn't
assumed; however a more concrete case is migration of a vtpm, and even
though it's probably encrypted blob you still don't want some other
device to grab the migration data - or to say reinitialise the vtpm.

> >   b) virtio-gpu, loads of complex GPU code that can't break the main
> > qemu process.
> 
> That's no problem - virtio-gpu crashes, it disappears from the dbus
> bus, but everything else keeps running.

Crashing is the easy case; assume it's malicious and you don't want it
getting to say a storage device provided by another vhost-user device.

> > > But if necessary, dbus can enforce policies on who is allowed to own a
> > > name, or to send/receive message from. As far as I know, this is
> > > mostly user/group policies.
> > > 
> > > But there is also SELinux checks to send_msg and acquire_svc (see
> > > dbus-daemon(1))
> > 
> > But how does something like SELinux interact with a private dbus 
> > rather than the system dbus?
> 
> There's already two dbus-daemon's on each host - the system one and
> the session one, and they get different selinux contexts,
> system_dbus_t and unconfined_dbus_t.
> 
> Since libvirt would be responsible for launching these private dbus
> daemons it would be easy to make it run  svirt_dbus_t for example.
> Actually it would be  svirt_dbus_t:s0:cNNN,cMMM to get uniqueness
> per VM.
> 
> Will of course require us to talk to the SELinux maintainers to
> get some sensible policy rules created.

This all relies on SELinux and running privileged qemu/vhost-user pairs;
needing to do that purely to enforce security seems wrong.

Dave

> > > > I want to know that the external device that's giving me migration data
> > > > is the device I think I'm speaking to, not one of the other devices;
> > > 
> > > DBus is not the problem nor the solution here.
> > 
> > Well, if the migration data was squirting down the existing vhost-user
> > channel then there would be no risk here; so the use of dbus is creating
> > the problem.
> > 
> > > But what defines that device-service strong relationship? Can you
> > > generalize it? I don't think so.
> > > 
> > > What DBus can guarantee is that the unique-id you are talking to is
> > > always the same connection (thus the same process).
> > > 
> > > > I also dont want different devices chatting to each other over dbus
> > > > unless we're very careful.
> > > 
> > > That's a bus policy job.
> > 
> > OK, as long as you somehow set it up.
> > 
> > Dave
> > 
> > > >
> > > > Dave
> > > >
> > > > > Regards,
> > > > > Daniel
> > > > > --
> > > > > |: https://berrange.com      -o-    
> > > > > https://www.flickr.com/photos/dberrange :|
> > > > > |: https://libvirt.org         -o-            
> > > > > https://fstop138.berrange.com :|
> > > > > |: https://entangle-photo.org    -o-    
> > > > > https://www.instagram.com/dberrange :|
> > > > --
> > > > Dr. David Alan Gilbert / address@hidden / Manchester, UK
> > > >
> > > 
> > > 
> > > -- 
> > > Marc-André Lureau
> > --
> > Dr. David Alan Gilbert / address@hidden / Manchester, UK
> 
> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / address@hidden / Manchester, UK
reply via email to
[Prev in Thread] Current Thread [Next in Thread]