[libvirt] Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization
James Morris
jmorris at namei.org
Tue Aug 12 09:57:19 UTC 2008
On Tue, 12 Aug 2008, Russell Coker wrote:
> having different labels for processes and files so that if someone cracks the
> UML kernel then they end up with just a regular user access on the Linux
> host. Which of course they could then try to crack with any of the usual
> local-root exploits.
>
> For separation based on Xen if someone cracks the hypervisor then you lose
> everything.
>
> For KVM (which seems to be the future of Linux virtualisation) I don't know
> enough to comment.
KVM uses a modified version of Qemu where guests run as Linux processes.
There are some useful documents here:
http://kvm.qumranet.com/kvmwiki/Documents
(The OLS paper especially).
> So by "Linux-based" you mean in contrast to Xen which has the Xen kernel (not
> Linux) running on the hardware?
Yes.
> > I don't understand what needs to be backed here. Currently, MAC is not
> > used to separate different Linux-based VMs, and by integrating MAC
> > support, people will be able to further utilize MAC.
>
> One thing that should be noted is the labelled network benefits. If you had
> several groups of virtual servers running at different levels and wanted to
> prevent information leaks then having SE Linux contexts and labelled
> networking could make things a little easier.
>
> I have had some real challenges in managing firewall rules for Xen servers.
> My general practice is to try and make sure that there is no real need for
> firewalls between hosts on the same hardware (not that I want it this way -
> it's what technical and management issues force me to).
>
> So for example if I have an ISP Xen server running virtual machines for a
> number of organisations I make sure that they are either all within a similar
> trust boundary (IE affiliated groups) or all mutually untrusting (IE other IP
> addresses in the same net-block are treated the same as random hosts on the
> net).
Thanks for the insights -- we expect to address the virtual networking
aspect in some way.
> The issue is whether the hypervisor you care about can be broken out of in
> that way. It seems that if someone can break out of Xen then you just lose.
> For KVM I don't know the situation, do you have a good reference for how it
> works?
>
> http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
>
> The above web page says that KVM is all based in the kernel, in which case why
> would it be any more resilient than Xen?
KVM uses a kernel module to utilize the virt hardware (which Qemu
interfaces with via /dev/kvm), but the guest runs in a userspace process.
I'm not comparing which is more resilient.
- James
--
James Morris
<jmorris at namei.org>
More information about the libvir-list
mailing list