[libvirt] [PATCH 0/5] qemu: invoke qemu-bridge-helper from libvirtd
Laine Stump
laine at laine.org
Thu Mar 28 19:30:50 UTC 2013
On 03/25/2013 10:25 AM, Paolo Bonzini wrote:
> The <interface type='bridge'> is working mostly because of a bad design
> decision in Linux. Ideally, QEMU would run with an empty capability
> bounding set and would not be able to do any privileged operation
> (not even by running a helper program). This is not the case because
> dropping capabilities from the bounding set requires a capability of its
> own, CAP_SETPCAP; thus QEMU does *not* run with an empty bounding set if
> invoked via qemu:///session.
Ewww. So what you're saying is that the qemu that's run from
qemu:///system is more locked down (and thus "more secure") than the
qemu that's run from qemu:///session? Basically this qemu can run any
setuid application it likes, and there's nothing that we can do about it.
More information about the libvir-list
mailing list