On 07/20/2011 10:34 AM, Anthony Liguori wrote:
On 07/20/2011 08:50 AM, Cleber Rosa wrote:
Just as a reminder: with DAC, if a guest is compromised and somehow
escalates to QEMU, it could disable its isolation (ie, by setting their
own image files world readable). I guess we shouldn't try to fix the DAC
model, but fix what's preventing us from fully using MAC, even though
it's outside of QEMU.
I don't see how a guest making its data world readable is a
fundamental problem.
Well, if we're discussing security models and how to provide the best
isolation we can to VMs/QEMU instances, then a VM being able to read (or
even write) data of another VM *is* a fundamental problem. "setting
their own imagine files world readable" is just one example of how that
could be accomplished.
DAC is a fundamental part of the Unix design and is something that
administrators understand very well.
That's is a true sentence, but it does not make DAC the most appropriate
solution here.
I completely understand the value of MAC but to argue that we
shouldn't present DAC as an option I think is fundamentally wrong.
I never said, and really don't think we shouldn't provide other security
options/models, this is actually part of the well accepted "security in
multiple layers" strategy.
I did assume, though, we were aiming for the best isolation level, and
that is definitely MAC. DAC may indeed be good enough for some, but
definitely not good enough for many others.
CR.
Regards,
Anthony Liguori
CR.
Regards,
Anthony Liguori
