On Wed, 12 Oct 2011 09:28:00 +0100, "Daniel P. Berrange" <berra...@redhat.com>
wrote:
> On Wed, Oct 12, 2011 at 01:24:16PM +0530, M. Mohan Kumar wrote:
> > Security model is needed only for 'local' fs driver.
> >
> > Signed-off-by: M. Mohan Kumar <mo...@in.ibm.com>
> > ---
> > fsdev/qemu-fsdev.c | 6 +----
> > fsdev/qemu-fsdev.h | 1 +
> > hw/9pfs/virtio-9p-device.c | 47
> > ++++++++++++++++++++++---------------------
> > vl.c | 20 +++++++++++++++--
> > 4 files changed, 43 insertions(+), 31 deletions(-)
> >
....
> * Files on the fileserver are set to QEMU credentials.
> > + */
> > + s->ctx.fs_sm = SM_NONE;
> > + s->ctx.xops = none_xattr_ops;
> > + } else {
> > + fprintf(stderr, "Invalid security_model %s specified.\n"
> > + "Available security models are:\t "
> > + "passthrough,mapped or none\n", fse->security_model);
> > + exit(1);
> > + }
>
> Are you sure there aren't use cases where people would like to
> choose between passthrough & mapped, even when using the 'proxy'
> or 'handle' security drivers.
Currently handle fs driver requires CAP_DAC_READ_SEARCH and if qemu is
not going to run with specific capabilities this implies root
privileges. So handle fs driver doesn't do the mapping required by
different security model. Proxy fs driver is enabling us to run file
system operations as "root". So even for that we don't need mapped
security model. Even if we want to store file attributes in xattr with
proxy fs driver, that will go as a proxy's argument not as -fsdev
argument. Proxy also don't require export path name. But that is another
patch.
>
> Both of the security models seem pretty generally useful to me,
> regardless of the driver type.
>
-aneesh
