[libvirt] [Qemu-devel] live snapshot wiki updated

Stefan Hajnoczi stefanha at gmail.com
Wed Jul 20 11:40:51 UTC 2011


On Wed, Jul 20, 2011 at 11:28 AM, Daniel P. Berrange
<berrange at redhat.com> wrote:
> On Wed, Jul 20, 2011 at 12:15:02PM +0200, Nicolas Sebrecht wrote:
>> The 20/07/11, Daniel P. Berrange wrote:
>>
>> > To make the decision whether the filename from QEMU is valid, we have
>> > to parse the master image header data to see if the filename actually
>> > matches the backing file required by the image assigned to the guest.
>>
>> Actually, libvirt should not have to worry if the filename provided by
>> QEMU is valid. I think it should trust QEMU. If QEMU doesn't provide
>> information others can trust; it should be fixed at QEMU side.
>
> The security goal of libvirt is to protect the host from a compromised
> QEMU, therefore QEMU is, by definition, untrusted.

This is a very reasonable goal.  QEMU is constantly dealing with the
untrusted guest.  The whole point of SELinux isolation of QEMU is to
contain any compromise to a single VM and reduce the capabilities of
that process to the minimum.

libvirt needs to help set the boundaries of what the QEMU process can do.

Stefan




More information about the libvir-list mailing list