Michael S. Tsirkin wrote:
Well it doesn't really help with the issue of privileges which is what
this series is really about.
Regards,
Anthony Liguori
I note that by default you grant all users all access.
If you do that, just give them net cap admin already?
By default, I give no users any access.
qemu-bridge-helper carries cap_net_admin but it doesn't do everything
cap_net_admin does. Since an administrator has to set that capability,
the admin is going to make it owned by root so that an unprivileged user
cannot change it. Modulo bugs, it's a very restricted subset of
cap_net_admin.
In order for a user to be able to get a tap device connected to a
bridge, the following things must be true:
1) the user must have execute privileges for qemu-bridge-helper
2) the user must have read/write access to /dev/net/tun
3) there must be an /etc/qemu/bridge.conf that is readable by the user
4) the config must have an explicit rule allowing access to the required
bridge device
So the user is very restricted in what they can do and they must be
granted these permissions explicitly by an administrator. By using
multiple bridge.conf files, an administrator can also create policies
based on filesystem permissions allowing certain user/groups to access
only certain bridges.
With raw, qemu must carry cap_net_raw. That is definitely not safe for
an untrusted user. Allowing an untrusted user to connect a VM to a
bridged physical network, on the other hand, seems to be a rather safe
thing to do as long as there are strongly ways to control which bridges
they can connect to.
Regards,
Anthony Liguori