[libvirt] [PATCH 0/5] qemu: invoke qemu-bridge-helper from libvirtd
Paolo Bonzini
pbonzini at redhat.com
Fri Apr 12 05:37:50 UTC 2013
Il 28/03/2013 20:30, Laine Stump ha scritto:
> > The <interface type='bridge'> is working mostly because of a bad design
> > decision in Linux. Ideally, QEMU would run with an empty capability
> > bounding set and would not be able to do any privileged operation
> > (not even by running a helper program). This is not the case because
> > dropping capabilities from the bounding set requires a capability of its
> > own, CAP_SETPCAP; thus QEMU does *not* run with an empty bounding set if
> > invoked via qemu:///session.
>
> Ewww. So what you're saying is that the qemu that's run from
> qemu:///system is more locked down (and thus "more secure") than the
> qemu that's run from qemu:///session? Basically this qemu can run any
> setuid application it likes, and there's nothing that we can do about it.
Yes. However, seccompv2 can still prevent execve to be executed by qemu.
Paolo
More information about the libvir-list
mailing list