[libvirt] Per-guest configurable user/group for QEMU processes

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Thu Feb 23 19:41:27 UTC 2012


Hi,

I'm starting working on an improvement for libvirt to be able to support 
per-guest configurable user and group IDs for QEMU processes. Currently, 
libvirt uses a configurable pair of user and group, which is defined in 
qemu.conf, for all qemu processes when running in privileged mode.

This topic was already commented in qemu mailing list 
(http://lists.nongnu.org/archive/html/qemu-devel/2011-10/msg00758.html) 
but, as this requires changes in libvirt API, I'd like to discuss what 
would be the best solution for it.

A solution (as proposed in the link above) would be to extend the 
security driver model to allow multiple drivers. In this case, an 
example of the XML definition would be:

   ...
<seclabel type='dynamic' model='selinux'>
<label>system_u:system_r:svirt_t:s0:c633,c712</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c633,c712</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac'>
<label>102:102</label>
<imagelabel>102:102</imagelabel>
</seclabel>
   ...

I don't know if this is a clean solution because the usual option would 
be to enclose the block above in a "<seclabels>" tag. But as this would 
break the actual API, it's not viable.

Another option is to expose the stack security driver that already 
exists internally in libvirt (maybe extending it to support more than 
two security drivers):

   ...
<seclabel type='stack'>
<seclabel type='dynamic' model='selinux'>
<label>system_u:system_r:svirt_t:s0:c633,c712</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c633,c712</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac'>
<label>102:102</label>
<imagelabel>102:102</imagelabel>
</seclabel>
</seclabel>
   ...

In that case, a nested seclabel only would be allowed when type='stack'.

Independently of how multiple security drivers can be expressed in the 
XML, another problem would be how functions as virDomainGetSecurityLabel 
should behave.

A third option is to just not support multiple security drivers and 
include a new tag for DAC:

   ...
<seclabel type='dynamic' model='selinux'>
<label>system_u:system_r:svirt_t:s0:c633,c712</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c633,c712</imagelabel>
</seclabel>
<dac process='102:102' image='102:102'/>
   ...

Please let me know your opinions about this topic.

Regards,
Marcelo







More information about the libvir-list mailing list