[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qem

From: Anthony Liguori
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu
Date: Thu, 05 Nov 2009 08:53:43 -0600
User-agent: Thunderbird (X11/20090825)

Daniel P. Berrange wrote:
On Thu, Nov 05, 2009 at 04:36:19PM +0200, Avi Kivity wrote:
On 11/05/2009 04:33 PM, Avi Kivity wrote:
and concerned that we're loosening security for qemu non-users.

I see you've addressed this via an acl system. Still, this is IMO should be outside qemu, esp. as security is now much more than users/groups (i.e. selinux and friends).

IMHO this needs to hook into PolicyKit, since that is the access control
framework that is being standardized on across the desktop. It is quite
easy to work with - all you need do is provide a policy file, and to
authorize a user, you'd run the 'pkcheck' program and its exit status
gives the result.

Absolutely. I wanted to not have a hard dependency on PolicyKit to start out with but that's always been the plan. I'd like to eventually add an optional PolicyKit dependency and when that's available not even bother with the qemu acl file. The nice thing about PolicyKit is the desktop integration. It's a much better user experience to allow a user to be prompted to allow qemu to access a bridge vs. having to error out to the user and tell them to muck with a config file.


Anthony Liguori

reply via email to

[Prev in Thread] Current Thread [Next in Thread]