| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 |
- =====
- D-Bus
- =====
- Introduction
- ============
- QEMU may be running with various helper processes involved:
- - vhost-user* processes (gpu, virtfs, input, etc...)
- - TPM emulation (or other devices)
- - user networking (slirp)
- - network services (DHCP/DNS, samba/ftp etc)
- - background tasks (compression, streaming etc)
- - client UI
- - admin & cli
- Having several processes allows stricter security rules, as well as
- greater modularity.
- While QEMU itself uses QMP as primary IPC (and Spice/VNC for remote
- display), D-Bus is the de facto IPC of choice on Unix systems. The
- wire format is machine friendly, good bindings exist for various
- languages, and there are various tools available.
- Using a bus, helper processes can discover and communicate with each
- other easily, without going through QEMU. The bus topology is also
- easier to apprehend and debug than a mesh. However, it is wise to
- consider the security aspects of it.
- Security
- ========
- A QEMU D-Bus bus should be private to a single VM. Thus, only
- cooperative tasks are running on the same bus to serve the VM.
- D-Bus, the protocol and standard, doesn't have mechanisms to enforce
- security between peers once the connection is established. Peers may
- have additional mechanisms to enforce security rules, based for
- example on UNIX credentials.
- The daemon can control which peers can send/recv messages using
- various metadata attributes, however, this is alone is not generally
- sufficient to make the deployment secure. The semantics of the actual
- methods implemented using D-Bus are just as critical. Peers need to
- carefully validate any information they received from a peer with a
- different trust level.
- dbus-daemon policy
- ------------------
- dbus-daemon can enforce various policies based on the UID/GID of the
- processes that are connected to it. It is thus a good idea to run
- helpers as different UID from QEMU and set appropriate policies.
- Depending on the use case, you may choose different scenarios:
- - Everything the same UID
- - Convenient for developers
- - Improved reliability - crash of one part doesn't take
- out entire VM
- - No security benefit over traditional QEMU, unless additional
- unless additional controls such as SELinux or AppArmor are
- applied
- - Two UIDs, one for QEMU, one for dbus & helpers
- - Moderately improved user based security isolation
- - Many UIDs, one for QEMU one for dbus and one for each helpers
- - Best user based security isolation
- - Complex to manager distinct UIDs needed for each VM
- For example, to allow only ``qemu`` user to talk to ``qemu-helper``
- ``org.qemu.Helper1`` service, a dbus-daemon policy may contain:
- .. code:: xml
- <policy user="qemu">
- <allow send_destination="org.qemu.Helper1"/>
- <allow receive_sender="org.qemu.Helper1"/>
- </policy>
- <policy user="qemu-helper">
- <allow own="org.qemu.Helper1"/>
- </policy>
- dbus-daemon can also perform SELinux checks based on the security
- context of the source and the target. For example, ``virtiofs_t``
- could be allowed to send a message to ``svirt_t``, but ``virtiofs_t``
- wouldn't be allowed to send a message to ``virtiofs_t``.
- See dbus-daemon man page for details.
- Guidelines
- ==========
- When implementing new D-Bus interfaces, it is recommended to follow
- the "D-Bus API Design Guidelines":
- https://dbus.freedesktop.org/doc/dbus-api-design.html
- The "org.qemu.*" prefix is reserved for services implemented &
- distributed by the QEMU project.
- QEMU Interfaces
- ===============
- :doc:`dbus-vmstate`
- :doc:`dbus-display`
|
