[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge

From: Anthony Liguori
Subject: Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge
Date: Mon, 09 Nov 2009 08:20:20 -0600
User-agent: Thunderbird (X11/20090825)

Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:

 You don't need root privileges to use a tap device.

You can access a preconfigured tap device but you cannot allocate a tap device and connect it to a bridge without CAP_NET_ADMIN.

btw, shouldn't we, in the general case, create a bridge per user and use IP NAT? If we have a global bridge, users can spoof each other's MAC addresses and interfere with their virtual machines.

qemu-bridge-helper supports that model quite well :-) You would create a NAT'd bridge for each user as the administrator, then create a bridge.conf that consisted of per-user includes with appropriate permissions set on each of those files.

  They can also interfere with the real network.

That's not a concern with most one-user-per-machine configurations, but the default configuration should be safe.

Let's not kid ourselves, no matter what we do we're giving a user elevated privileges. Even with NAT, if the host can access the NAT'ed network, then you can run a privileged service (like NFS) in that network. Like it or not, some networks rely on privileged services being trusted as part of their security model (consider NIS).

I think the best we can do is provide a tool that allows an administrator to grant users additional privileges in the tiniest increments possible. Putting people in wheel just so they can do virtualization is too much.

I don't see having an fscap-based helper as creating policy. I see it as adding a mechanism for administrators to create policy.


Anthony Liguori

reply via email to

[Prev in Thread] Current Thread [Next in Thread]