1a566907fSMarc-André Lureau===== 2a566907fSMarc-André LureauD-Bus 3a566907fSMarc-André Lureau===== 4a566907fSMarc-André Lureau 5a566907fSMarc-André LureauIntroduction 6a566907fSMarc-André Lureau============ 7a566907fSMarc-André Lureau 8a566907fSMarc-André LureauQEMU may be running with various helper processes involved: 9a566907fSMarc-André Lureau - vhost-user* processes (gpu, virtfs, input, etc...) 10a566907fSMarc-André Lureau - TPM emulation (or other devices) 11a566907fSMarc-André Lureau - user networking (slirp) 12a566907fSMarc-André Lureau - network services (DHCP/DNS, samba/ftp etc) 13a566907fSMarc-André Lureau - background tasks (compression, streaming etc) 14a566907fSMarc-André Lureau - client UI 15a566907fSMarc-André Lureau - admin & cli 16a566907fSMarc-André Lureau 17a566907fSMarc-André LureauHaving several processes allows stricter security rules, as well as 18a566907fSMarc-André Lureaugreater modularity. 19a566907fSMarc-André Lureau 20a566907fSMarc-André LureauWhile QEMU itself uses QMP as primary IPC (and Spice/VNC for remote 21a566907fSMarc-André Lureaudisplay), D-Bus is the de facto IPC of choice on Unix systems. The 22a566907fSMarc-André Lureauwire format is machine friendly, good bindings exist for various 23a566907fSMarc-André Lureaulanguages, and there are various tools available. 24a566907fSMarc-André Lureau 25a566907fSMarc-André LureauUsing a bus, helper processes can discover and communicate with each 26a566907fSMarc-André Lureauother easily, without going through QEMU. The bus topology is also 27a566907fSMarc-André Lureaueasier to apprehend and debug than a mesh. However, it is wise to 28a566907fSMarc-André Lureauconsider the security aspects of it. 29a566907fSMarc-André Lureau 30a566907fSMarc-André LureauSecurity 31a566907fSMarc-André Lureau======== 32a566907fSMarc-André Lureau 33a566907fSMarc-André LureauA QEMU D-Bus bus should be private to a single VM. Thus, only 34a566907fSMarc-André Lureaucooperative tasks are running on the same bus to serve the VM. 35a566907fSMarc-André Lureau 36a566907fSMarc-André LureauD-Bus, the protocol and standard, doesn't have mechanisms to enforce 37a566907fSMarc-André Lureausecurity between peers once the connection is established. Peers may 38a566907fSMarc-André Lureauhave additional mechanisms to enforce security rules, based for 39a566907fSMarc-André Lureauexample on UNIX credentials. 40a566907fSMarc-André Lureau 41a566907fSMarc-André LureauThe daemon can control which peers can send/recv messages using 42a566907fSMarc-André Lureauvarious metadata attributes, however, this is alone is not generally 43a566907fSMarc-André Lureausufficient to make the deployment secure. The semantics of the actual 44a566907fSMarc-André Lureaumethods implemented using D-Bus are just as critical. Peers need to 45a566907fSMarc-André Lureaucarefully validate any information they received from a peer with a 46a566907fSMarc-André Lureaudifferent trust level. 47a566907fSMarc-André Lureau 48a566907fSMarc-André Lureaudbus-daemon policy 49a566907fSMarc-André Lureau------------------ 50a566907fSMarc-André Lureau 51a566907fSMarc-André Lureaudbus-daemon can enforce various policies based on the UID/GID of the 52a566907fSMarc-André Lureauprocesses that are connected to it. It is thus a good idea to run 53a566907fSMarc-André Lureauhelpers as different UID from QEMU and set appropriate policies. 54a566907fSMarc-André Lureau 55a566907fSMarc-André LureauDepending on the use case, you may choose different scenarios: 56a566907fSMarc-André Lureau 57a566907fSMarc-André Lureau - Everything the same UID 58a566907fSMarc-André Lureau 59a566907fSMarc-André Lureau - Convenient for developers 6076ca4b58Szhaolichang - Improved reliability - crash of one part doesn't take 61a566907fSMarc-André Lureau out entire VM 62a566907fSMarc-André Lureau - No security benefit over traditional QEMU, unless additional 63a566907fSMarc-André Lureau unless additional controls such as SELinux or AppArmor are 64a566907fSMarc-André Lureau applied 65a566907fSMarc-André Lureau 66a566907fSMarc-André Lureau - Two UIDs, one for QEMU, one for dbus & helpers 67a566907fSMarc-André Lureau 68a566907fSMarc-André Lureau - Moderately improved user based security isolation 69a566907fSMarc-André Lureau 70a566907fSMarc-André Lureau - Many UIDs, one for QEMU one for dbus and one for each helpers 71a566907fSMarc-André Lureau 72a566907fSMarc-André Lureau - Best user based security isolation 73a566907fSMarc-André Lureau - Complex to manager distinct UIDs needed for each VM 74a566907fSMarc-André Lureau 75a566907fSMarc-André LureauFor example, to allow only ``qemu`` user to talk to ``qemu-helper`` 76a566907fSMarc-André Lureau``org.qemu.Helper1`` service, a dbus-daemon policy may contain: 77a566907fSMarc-André Lureau 78a566907fSMarc-André Lureau.. code:: xml 79a566907fSMarc-André Lureau 80a566907fSMarc-André Lureau <policy user="qemu"> 81a566907fSMarc-André Lureau <allow send_destination="org.qemu.Helper1"/> 82a566907fSMarc-André Lureau <allow receive_sender="org.qemu.Helper1"/> 83a566907fSMarc-André Lureau </policy> 84a566907fSMarc-André Lureau 85a566907fSMarc-André Lureau <policy user="qemu-helper"> 86a566907fSMarc-André Lureau <allow own="org.qemu.Helper1"/> 87a566907fSMarc-André Lureau </policy> 88a566907fSMarc-André Lureau 89a566907fSMarc-André Lureau 9076ca4b58Szhaolichangdbus-daemon can also perform SELinux checks based on the security 91a566907fSMarc-André Lureaucontext of the source and the target. For example, ``virtiofs_t`` 92a566907fSMarc-André Lureaucould be allowed to send a message to ``svirt_t``, but ``virtiofs_t`` 93a566907fSMarc-André Lureauwouldn't be allowed to send a message to ``virtiofs_t``. 94a566907fSMarc-André Lureau 95a566907fSMarc-André LureauSee dbus-daemon man page for details. 96a566907fSMarc-André Lureau 97a566907fSMarc-André LureauGuidelines 98a566907fSMarc-André Lureau========== 99a566907fSMarc-André Lureau 100a566907fSMarc-André LureauWhen implementing new D-Bus interfaces, it is recommended to follow 101a566907fSMarc-André Lureauthe "D-Bus API Design Guidelines": 102a566907fSMarc-André Lureauhttps://dbus.freedesktop.org/doc/dbus-api-design.html 103a566907fSMarc-André Lureau 104a566907fSMarc-André LureauThe "org.qemu.*" prefix is reserved for services implemented & 105a566907fSMarc-André Lureaudistributed by the QEMU project. 1065010cec2SMarc-André Lureau 1075010cec2SMarc-André LureauQEMU Interfaces 1085010cec2SMarc-André Lureau=============== 1095010cec2SMarc-André Lureau 1105010cec2SMarc-André Lureau:doc:`dbus-vmstate` 111*ef20c5baSMarc-André Lureau 112*ef20c5baSMarc-André Lureau:doc:`dbus-display` 113