On Thu, Nov 07, 2019 at 09:33:45AM -0500, Michael S. Tsirkin wrote: > On Thu, Nov 07, 2019 at 03:02:20PM +0100, Stefan Hajnoczi wrote: > > This documentation suggests that QEMU spawns the remote processes. How > > do this work with unprivileged QEMU? Is there an additional step where > > QEMU drops privileges after having spawned remote processes? > > > > Remote processes require accesses to resources that the main QEMU > > process does not need access to, so I'm wondering how this process model > > ensures that each process has only the privileges it needs. > > I guess you have something like capabilities in mind?
Or namespaces (unshare(2)). > When using something like selinux, priviledges are per binary > so the order of startup doesn't matter. For static SELinux policies that make sense, thanks for explaining. Does libvirt also perform dynamic (i.e. per-instance) SELinux configuration? I guess that cannot be associated with a specific binary because multiple QEMU instances launch the same binary yet need to be differentiated. Stefan
signature.asc
Description: PGP signature
