From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=LX8/sfcR;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id AB26E5A0271
	for <passt-dev@passt.top>; Wed, 24 Sep 2025 13:20:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1758712814;
	h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:  references:references;
	bh=/LZiC2BlcjUz/yT+f7+xV11zVuuxPd3PbqxGlgVrD1c=;
	b=LX8/sfcROZAxfpLWJQ9gAMD51kyDhhDqCbEYo8vtYy9PXIkBaNUjYG8RxUO5O2RNGt+1y+
	G9C1ytIE2rESr6CDbloLHeEJ61zO0GFZVKKtH8bYk3FOPKe1xEzeX+JaG/YvB1mejMdaEN
	qruis9h5+QjiZ0iFEjhmF4T/EP6hTWo=
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-619-w-DBuv2xP_OMKVDmqbfdTg-1; Wed,
 24 Sep 2025 07:20:12 -0400
X-MC-Unique: w-DBuv2xP_OMKVDmqbfdTg-1
X-Mimecast-MFC-AGG-ID: w-DBuv2xP_OMKVDmqbfdTg_1758712812
Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5308D19560AF;
	Wed, 24 Sep 2025 11:20:11 +0000 (UTC)
Received: from redhat.com (unknown [10.42.28.136])
	by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 32EAC1800452;
	Wed, 24 Sep 2025 11:20:07 +0000 (UTC)
Date: Wed, 24 Sep 2025 12:20:03 +0100
From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] test: Update README.md
Message-ID: <aNPT475lQy6yt7qS@redhat.com>
References: <CANsz47mhkYkTy6LUK3OsAwC_8pf6Ed8RPR6gBLFig0ZC7vZJYA@mail.gmail.com>
 <20250922220338.49013fce@elisabeth>
 <CANsz47=+VOeYNYuLOD3TdhQiO_5q1b9od0Ef6xNGUSrthocXSg@mail.gmail.com>
 <20250923123213.61ddd9d5@elisabeth>
 <CANsz47nh4J-wSru8y+bQP0g+wRp-udX_-dOoQTNWsr7sBJQe0w@mail.gmail.com>
 <20250924104632.75b3f5a8@elisabeth>
 <20250924085621.GT1460@redhat.com>
 <20250924110909.43a16cfa@elisabeth>
 <20250924103131.GU1460@redhat.com>
 <20250924130553.673cc9c0@elisabeth>
MIME-Version: 1.0
In-Reply-To: <20250924130553.673cc9c0@elisabeth>
User-Agent: Mutt/2.2.14 (2025-02-20)
X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: VE8IX-NXdJJ0wqs-E3_0jjfjg_8Oikvg_hMjv1YWyig_1758712812
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
X-MailFrom: berrange@redhat.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: MP77VWSZ3B6OWRLVLXAQ7NE5OIKUDJBM
X-Message-ID-Hash: MP77VWSZ3B6OWRLVLXAQ7NE5OIKUDJBM
X-Mailman-Approved-At: Wed, 24 Sep 2025 13:49:00 +0200
CC: "Richard W.M. Jones" <rjones@redhat.com>, Yumei Huang <yuhuang@redhat.com>, passt-dev@passt.top, david@gibson.dropbear.id.au
X-Mailman-Version: 3.3.8
Precedence: list
Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange@redhat.com>
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/aNPT475lQy6yt7qS@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/MP77VWSZ3B6OWRLVLXAQ7NE5OIKUDJBM/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed, Sep 24, 2025 at 01:05:53PM +0200, Stefano Brivio wrote:
> On Wed, 24 Sep 2025 11:31:31 +0100
> "Richard W.M. Jones" <rjones@redhat.com> wrote:
> 
> > On Wed, Sep 24, 2025 at 11:09:09AM +0200, Stefano Brivio wrote:
> > > And now that you say that, I just realised that it would be as simple
> > > as:
> > > 
> > >   https://libguestfs.org/guestfs-faq.1.html#permission-denied-when-running-libguestfs-as-root
> > > 
> > >   LIBGUESTFS_BACKEND=direct virt-edit...  
> > 
> > While that will indeed work, we're trying to discourage people from
> > doing that, since it removes the other good things that libvirt does,
> > such as setting up SELinux.
> 
> Oh, I see. I guess it makes sense, with a number of caveats:
> 
> 1. libvirt's SELinux policy doesn't seem to be really maintainable /
>    long-term sustainable to me, especially because it's still part of
>    fedora-selinux

Well it isn't ideal that Fedora policy is largely centralized, but
it has been maintained it since 2007, so claiming it is not long
term sustainable is just FUD.

> 2. it adds a rather artificial dependency on libvirt, so in the end
>    you're running more things, and more complicated ones, even if it's
>    not needed

Libvirt provides a stable interface to interacting with QEMU
over decades. QEMU's own interface is only guaranteed stable
over 2 releases.  As QEMU changes its interface and/or best
practice configuration approach, libvirt adapts to this so
every app doesn't have to repeat this work.

> 3. the profile is still much looser than what a libguestfs specific
>    profile could be, see for example the AppArmor policy I introduced
>    at:
> 
>      https://salsa.debian.org/libvirt-team/guestfs-tools/-/commit/e638b1bcb8a6621d0b61907f9269a2506680684f
> 
>    which, despite being rather loose, is still arguably much stricter
>    than this beast (and related add-ons):
> 
>      https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in
> 
>    and I think a strict subset of it, as well.

This is the policy for the libvirt daemon, which is separate from the
policy that the QEMU guest runs under - the latter is constrained to
limit access to resources configured for the guest VM.

The libvirt daemon policy needs to be loose by default, since users
want libvirt to be able to access a wide range of files and resources.
This same need applies to guestfish - it needs to access arbitrarily
specified disk images, so would need a very loose policy. Only the
spawned QEMU could be confined strictly, and that would be equiv to
what is already done with libvirt's policy for QEMU.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|