Skip to content

Commit b51542b

Browse files
slpslp
committed
README: add a "Security model" section
Add a "Security model" section explaining the current security model of libkrun and clarifying some local assumptions. Signed-off-by: Sergio Lopez <[email protected]>
1 parent 368b4b5 commit b51542b

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

README.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,24 @@ A conventional virtual interface that allows the guest to communicate with the o
8282

8383
Use `krun_add_net_unixstream` and/or `krun_add_net_unixdgram` to add a virtio-net interface connected to the userspace network proxy.
8484

85+
## Security model
86+
87+
The libkrun security model is primarily defined by the consideration that both the guest and the VMM pertain to the same security context. For many operations, the VMM acts as a proxy for the guest within the host. Host resources that are accessible to the VMM can potentially be accessed by the guest through it.
88+
89+
While defining the security implementation of your environment, you should think about the guest and the VMM as a single entity. To prevent the guest from accessing host's resources, you need to use the host's OS security features to run the VMM inside an isolated context. On Linux, the primary mechanism to be used for this purpose is namespaces. Single-user systems may have a more relaxed security policy and just ensure the VMM runs with a particular UID/GID.
90+
91+
While most virtio devices allow the guest to access resources from the host, two of them require special consideration when used: virtio-fs and virtio-vsock+TSI.
92+
93+
### virtio-fs
94+
95+
When exposing a directory in a filesystem from the host to the guest through virtio-fs devices configured with `krun_set_root` and/or `krun_add_virtiofs`, libkrun **does not** provide any protection against the guest attempting to access other directories in the same filesystem, or even other filesystems in the host.
96+
97+
A mount point isolation mechanism from the host should be used in combination with virtio-fs.
98+
99+
### virtio-vsock + TSI
100+
101+
When TSI is enabled, the VMM acts as a proxy for AF_INET, AF_INET6 and AF_UNIX sockets, for both incoming and outgoing connections. For all that matters, the VMM and the guest should be considered to be running in the network context. As such, you should apply on the VMM whatever restrictions you want to apply on the guest.
102+
85103
## Building and installing
86104

87105
### Linux (generic variant)

0 commit comments

Comments
 (0)