| Info | ||
|---|---|---|
| ||
Copyright 2013 by Citrix Systems, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/. |
Table of Contents
There's a particular shortcoming in the standard SELinux policy which becomes evident in systems like XenClient. When multiple instances of a program are run, each instances executed from the same binary will have the same label (i.e. all qemu-dm processes will be labeled qemu_t). This would allow a compromised qemu-dm process supporting a virtual machine (call it VM_A) to access the resources belonging to other VMs (pick a specific one and call it VM_B). Obviously this is not desirable as it becomes an obvious "weakest link" the separation we've worked so hard to achieve. This page documents an implementation of a solution to this issue known as sVirt.
Background
The need for sVirt became apparent as virtualization on Linux became popular in the late 2000s. James Morris announced the project in 2008 targeting integration into the libvirt project. Eventually this resulted in yet another pluggable driver in libvirt so that sVirt protections wouldn't be exclusive to SELinux systems (this allowed confinement using AppArmor as well).
...