On Tue, Feb 24, 2015 at 09:30:56AM -0700, Eric Blake wrote: > On 02/24/2015 02:50 AM, Wen Congyang wrote: > >> Script files are in general very hard to secure. Libvirt marks any > >> domain that uses a script file for controlling networking as tainted, > >> because it cannot guarantee that the script did not do arbitrary > >> actions. Can you come up with any better solution that does not require > >> a script file, such as having management software responsible for > >> passing in an already-opened fd? > > > > Do you mean that opening the script in libvirt? > > > > No, I mean a solution that needs no script file at all. Have libvirt > pre-open the TAP device you will need, then pass in the fd that will be > used for the colo NIC.
Agreed, we really must not add new features that require executing arbitrary blackbox shell scripts to QEMU, when we know that reslts in a flawed security model. And just pushing the script execution upto libvirt is not really a satisfactory solution either. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
