projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fb31b14) | patch
run QEMU as non-root
authorStefano Stabellini <stefano.stabellini@eu.citrix.com>
Thu, 5 Nov 2015 12:47:26 +0000 (12:47 +0000)
committerIan Campbell <ian.campbell@citrix.com>
Mon, 16 Nov 2015 11:09:41 +0000 (11:09 +0000)
commit84f2fd1ba567f4cb08ed101e26d013c181ab3318
tree4c70c8d3d9bee9a6c692fb2e005642973f8794b1tree | snapshot
parentfb31b1475f1bf179f033b8de3f0e173006fd77e9commit | diff
run QEMU as non-root

Try to use "xen-qemuuser-domid$domid" first, then
"xen-qemuuser-shared" and root if everything else fails.

The uids need to be manually created by the user or, more likely, by the
xen package maintainer.

Expose a device_model_user setting in libxl_domain_build_info, so that
opinionated callers, such as libvirt, can set any user they like. Do not
fall back to root if device_model_user is set. Users can also set
device_model_user by hand in the xl domain config file.

QEMU is going to setuid and setgid to the user ID and the group ID of
the specified user, soon after initialization, before starting to deal
with any guest IO.

To actually secure QEMU when running in Dom0, we need at least to
deprivilege the privcmd and xenstore interfaces, this is just the first
step in that direction.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
INSTALL diff | blob | history
docs/man/xl.cfg.pod.5 diff | blob | history
docs/misc/qemu-deprivilege.txt [new file with mode: 0644] blob
tools/libxl/libxl.h diff | blob | history
tools/libxl/libxl_dm.c diff | blob | history
tools/libxl/libxl_internal.h diff | blob | history
tools/libxl/libxl_types.idl diff | blob | history
tools/libxl/xl_cmdimpl.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.