Not logged in
Log in now
Create an account
Subscribe to LWN
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
The ability to run KVM processes as non-root is something that is to be added to libvirt in the near
All VMs run as the same user...
Posted Sep 25, 2009 20:10 UTC (Fri) by lutchann (subscriber, #8872)
With such a setup, the only thing you have to pray for is that there are no vulnerabilities that allow a guest VM to break into the host's ring 0. Unfortunately, such bugs have already been discovered in Xen.
(I can share my C wrapper for containerizing KVM if anybody's interested. Post a followup to this comment and I'll tar it up and post it somewhere.)
Posted Sep 27, 2009 10:22 UTC (Sun) by nix (subscriber, #2304)
Posted Sep 25, 2009 20:19 UTC (Fri) by smoogen (subscriber, #97)
Posted Sep 26, 2009 6:22 UTC (Sat) by Cato (subscriber, #7643)
Posted Sep 26, 2009 7:19 UTC (Sat) by rwmj (subscriber, #5474)
Posted Sep 26, 2009 9:04 UTC (Sat) by avik (guest, #704)
Of course, if a process has access to another process (via kill(2) or ptrace(2)) it can affect or access data belonging to that process. So if you run all virtual machines as the same user, you need to further isolate them. I believe sVirt does that with its random selinux contexts. but I'm no selinux expert.
Posted Sep 26, 2009 10:17 UTC (Sat) by rwmj (subscriber, #5474)
Posted Sep 28, 2009 17:35 UTC (Mon) by danpb (subscriber, #4831)
Also in Fedora 12, /dev/kvm has mode 0666 out of the box, allowing qemu:///session uses to use KVM acceleration.
The libvirt security architecture that deals with sVirt is modular allowing arbitrary security plugins. The Ubuntu devs have got an impl using AppArmour. It would also be possible to write an impl that ran each VM as a unique user ID.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds