Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:
You don't need root privileges to use a tap device.
You can access a preconfigured tap device but you cannot allocate a
tap device and connect it to a bridge without CAP_NET_ADMIN.
btw, shouldn't we, in the general case, create a bridge per user and
use IP NAT? If we have a global bridge, users can spoof each other's
MAC addresses and interfere with their virtual machines.
qemu-bridge-helper supports that model quite well :-) You would create
a NAT'd bridge for each user as the administrator, then create a
bridge.conf that consisted of per-user includes with appropriate
permissions set on each of those files.
They can also interfere with the real network.
That's not a concern with most one-user-per-machine configurations,
but the default configuration should be safe.
Let's not kid ourselves, no matter what we do we're giving a user
elevated privileges. Even with NAT, if the host can access the NAT'ed
network, then you can run a privileged service (like NFS) in that
network. Like it or not, some networks rely on privileged services
being trusted as part of their security model (consider NIS).
I think the best we can do is provide a tool that allows an
administrator to grant users additional privileges in the tiniest
increments possible. Putting people in wheel just so they can do
virtualization is too much.
I don't see having an fscap-based helper as creating policy. I see it
as adding a mechanism for administrators to create policy.
--
Regards,
Anthony Liguori
