On Thu, Mar 21, 2013 at 07:05:09PM +0100, Alexandre Kandalintsev wrote: > Hi! > > > Here is the patch that allows us to specify the name of tap interface > when -netdev bridge is used. It's like -netdev tap,ifname=xxx, but for > bridges. > > > ** Motivation ** > > We've got zillions of VMs and would like to see meaningful names of tap > interfaces. This is really useful for for, e.g., system administrators > in case they want to run tcpdump on it. > > > ** How it works ** > > Just specify a ifname= parameter as it is done if --netdev tap is used. > However, as it requires root privs, the interface renaming is > actually done by qemu-bridge-helper. --netdev tap,ifname=xxx will fail > if qemu is launched not from root. > > > ** TODO ** > > 1. Update docs > 2. I'm afraid that net_init_tap should not run helper with > --br=DEFAULT_BRIDGE_INTERFACE . At least bridge name should be tunnable. > But this is a future work. > 3. May be we should call qemu-bridge-helper for tap interface renamings > because it always has root privs?
qemu-bridge-helper is a setuid root binary. It allows access to things an unprivileged user normally cannot do. We need to be very careful that new features cannot be abused. There needs to be a policy in qemu-bridge-helper to control network interface naming. Imagine an existing qemu-bridge-helper deployment. Now if your patch is merged and the new qemu-bridge-helper is installed, unprivileged users can create arbitrarily named network interfaces. It was previously not possible to create arbitrarily named network interfaces. This might pose a security problem given firewall configuration, monitoring software, etc which isn't configured to deal with these new interface names. By default, custom names should not be allowed. Perhaps the qemu-bridge-helper configuration file needs an option to specify a glob pattern, e.g. vm*. This way the host system administrator can restrict network interface names while still allowing humand-friendly names. Stefan
