On Wed, Dec 20, 2017 at 10:57:40AM +0000, Daniel P. Berrange wrote: > On Wed, Dec 20, 2017 at 11:44:36AM +0100, Kashyap Chamarthy wrote: > > On Mon, Dec 18, 2017 at 11:11:00AM +0100, Markus Armbruster wrote:
[...] > > > Another thought: do we want to give qemu-system-* the necessary > > > privileges for creating images? Two cases: running with and without a > > > guest. > > > > Related: Just curious -- was it an explicit design decision to not give > > `qemu-system-*` permissions to create disk images? > > Our security model considers QEMU broadly untrustworthy, and so any resources > it needs to use must either be passed in by libvirt, or have permissions > explicitly assigned to permit usage by QEMU. QEMU is allowed to create tmp > files, and create RAM files for memory backing, but in general we don't want > to have QEMU able to create arbitrary files, only open things that are > already created. Ah, true. Thanks for the reminder about the security architecture. (Also I realize that libvirt launches QEMU as an unprivileged user, 'qemu', which is part of the defense-in-depth approach, along w/ sVirt mechanism, etc.) [...] -- /kashyap
