summaryrefslogtreecommitdiffstats
path: root/docs/interop/dbus.rst
blob: be596d3f418c14ff5744943b6266195d0560adac (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
=====
D-Bus
=====

Introduction
============

QEMU may be running with various helper processes involved:
 - vhost-user* processes (gpu, virtfs, input, etc...)
 - TPM emulation (or other devices)
 - user networking (slirp)
 - network services (DHCP/DNS, samba/ftp etc)
 - background tasks (compression, streaming etc)
 - client UI
 - admin & cli

Having several processes allows stricter security rules, as well as
greater modularity.

While QEMU itself uses QMP as primary IPC (and Spice/VNC for remote
display), D-Bus is the de facto IPC of choice on Unix systems. The
wire format is machine friendly, good bindings exist for various
languages, and there are various tools available.

Using a bus, helper processes can discover and communicate with each
other easily, without going through QEMU. The bus topology is also
easier to apprehend and debug than a mesh. However, it is wise to
consider the security aspects of it.

Security
========

A QEMU D-Bus bus should be private to a single VM. Thus, only
cooperative tasks are running on the same bus to serve the VM.

D-Bus, the protocol and standard, doesn't have mechanisms to enforce
security between peers once the connection is established. Peers may
have additional mechanisms to enforce security rules, based for
example on UNIX credentials.

The daemon can control which peers can send/recv messages using
various metadata attributes, however, this is alone is not generally
sufficient to make the deployment secure.  The semantics of the actual
methods implemented using D-Bus are just as critical. Peers need to
carefully validate any information they received from a peer with a
different trust level.

dbus-daemon policy
------------------

dbus-daemon can enforce various policies based on the UID/GID of the
processes that are connected to it. It is thus a good idea to run
helpers as different UID from QEMU and set appropriate policies.

Depending on the use case, you may choose different scenarios:

 - Everything the same UID

   - Convenient for developers
   - Improved reliability - crash of one part doesn't take
     out entire VM
   - No security benefit over traditional QEMU, unless additional
     unless additional controls such as SELinux or AppArmor are
     applied

 - Two UIDs, one for QEMU, one for dbus & helpers

   - Moderately improved user based security isolation

 - Many UIDs, one for QEMU one for dbus and one for each helpers

   - Best user based security isolation
   - Complex to manager distinct UIDs needed for each VM

For example, to allow only ``qemu`` user to talk to ``qemu-helper``
``org.qemu.Helper1`` service, a dbus-daemon policy may contain:

.. code:: xml

  <policy user="qemu">
     <allow send_destination="org.qemu.Helper1"/>
     <allow receive_sender="org.qemu.Helper1"/>
  </policy>

  <policy user="qemu-helper">
     <allow own="org.qemu.Helper1"/>
  </policy>


dbus-daemon can also perform SELinux checks based on the security
context of the source and the target. For example, ``virtiofs_t``
could be allowed to send a message to ``svirt_t``, but ``virtiofs_t``
wouldn't be allowed to send a message to ``virtiofs_t``.

See dbus-daemon man page for details.

Guidelines
==========

When implementing new D-Bus interfaces, it is recommended to follow
the "D-Bus API Design Guidelines":
https://dbus.freedesktop.org/doc/dbus-api-design.html

The "org.qemu.*" prefix is reserved for services implemented &
distributed by the QEMU project.

QEMU Interfaces
===============

:doc:`dbus-vmstate`