[virt-tools-list] virt-manager user support to run qemu-kvm process under system user for security
Daniel P. Berrange
berrange at redhat.com
Thu Jan 20 14:18:02 UTC 2011
On Tue, Jan 18, 2011 at 03:43:38PM +0000, Wu Haa wrote:
>
> Hi,
>
> If/when will 'chroot'/'runas user' be made available in virt-manager and xml config structure.
>
> QEMU-KVM Options
>
> -chroot dir Chroot to dir just before starting the VM.
SELinux/AppArmour will provide stronger protection than this
would, by ensuring VMs can only access files that have been
explicitly listed in the guest XML config. In the future we
may also use linux container functionality to confine VMs,
which can offer a form of chroot that is much more secure
and flexible.
> -runas user Change to user id user just before starting the VM.
When connected to 'qemu://session' all VMs are run unprivileged
as your own user ID. When connected to qemu://system VMs are
either run as root, or these days as a 'qemu' user. In the future
there will be a security driver that runs each VM under a dedicated
user ID.
Daniel
More information about the virt-tools-list
mailing list