[libvirt] [Qemu-devel] live snapshot wiki updated

Jes Sorensen Jes.Sorensen at redhat.com
Thu Jul 21 08:38:58 UTC 2011

On 07/20/11 11:36, Daniel P. Berrange wrote:
> On Wed, Jul 20, 2011 at 10:23:12AM +0200, Jes Sorensen wrote:
>> Pardon, but I fail to see the issue here. If QEMU passes a filename back
>> to libvirt, libvirt still gets to make the decision whether or not it is
>> legitimate for QEMU to get that file descriptor or not. It doesn't
>> change anything wrt who actually opens the file, hence the 'trust' is
>> unchanged.
> To make the decision whether the filename from QEMU is valid, we have
> to parse the master image header data to see if the filename actually
> matches the backing file required by the image assigned to the guest.

Sorry but that doesn't make any sense. In other words, if someone hacks
an image and makes it point to a different file, you are going to allow
the backing file to be opened just because it is listed in the image?

If this is really the approach you are suggesting, it seems to me the
whole 'do not allow random opens on NFS' security thing has gone out the

To the best of my understanding, the whole idea with selinux attributes
was to be able to specify which files are allowed to be opened by a
given process. Mapping this to the libvirt model, it should mean libvirt
ought to carry a positive list of  files that are allowed to be opened,
rather than relying on what might be written to an image file.


More information about the libvir-list mailing list