History | View | Annotate | Download (10.1 kB)
Add access control support to qemu bridge helper
We go to great lengths to restrict ourselves to just cap_net_admin as an OSenforced security mechanism. However, we further restrict what we allow usersto do to simply adding a tap device to a bridge interface by virtue of the fact...
Add cap reduction support to enable use as SUID
The ideal way to use qemu-bridge-helper is to give it an fscap of using:
setcap cap_net_admin=ep qemu-bridge-helper
Unfortunately, most distros still do not have a mechanism to package fileswith fscaps applied. This means they'll have to SUID the qemu-bridge-helper...
Add basic version of bridge helper
This patch adds a helper that can be used to create a tap device attached toa bridge device. Since this helper is minimal in what it does, it can begiven CAP_NET_ADMIN which allows qemu to avoid running as root while still...