guix system vm, QEMU, virtfs, and the security_model option

guix system vm, QEMU, virtfs, and the security_model option

[Fabio Natali]

Hi,

A quick question re the 'guix system vm' command. When used in
combination with '--share=/foo=/bar', the command takes advantage of
QEMU's 'virtfs' option to share a folder between the host and the guest.

Interestingly, the command makes use of the 'security_model=none'
option. An alternative, one that I've seen recommended in some QEMU
docs⁰, would be using 'security_model=mapped-xattr'.

Is there any particular reason why we're using 'none' instead of
'mapped-xattr'?  The reason I'm asking is because I'm struggling with
some permission issues on a shared folder and I'd have a vague intuition
(or some hope) that 'mapped-xattr' might be a solution.

Thanks, best wishes, Fabio.

⁰ https://wiki.qemu.org/Documentation/9psetup'


-- 
Fabio Natali
https://fabionatali.com

Re: guix system vm, QEMU, virtfs, and the security_model option

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 1109 bytes --]

On Thu, May 30, 2024 at 04:15:33PM +0100, Fabio Natali wrote:
> Hi,
> 
> A quick question re the 'guix system vm' command. When used in
> combination with '--share=/foo=/bar', the command takes advantage of
> QEMU's 'virtfs' option to share a folder between the host and the guest.
> 
> Interestingly, the command makes use of the 'security_model=none'
> option. An alternative, one that I've seen recommended in some QEMU
> docs⁰, would be using 'security_model=mapped-xattr'.
> 
> Is there any particular reason why we're using 'none' instead of
> 'mapped-xattr'?  The reason I'm asking is because I'm struggling with
> some permission issues on a shared folder and I'd have a vague intuition
> (or some hope) that 'mapped-xattr' might be a solution.
> 

It looks like it was set in April 2014, so it may be time to revisit
it and see if changing the security_model works.

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: guix system vm, QEMU, virtfs, and the security_model option

[Brian O'Keefe]

Jumping in here briefly. I had installed Guix Debian Gnu/Hurd as a VM in 
QEMU. It work completely fine and I thought that I would keep it for 
some tasks. However it gobbled up disk space like crazy and I've since 
removed it. The install was simple and no issues.

On 6/2/24 12:55AM, Efraim Flashner wrote:
> On Thu, May 30, 2024 at 04:15:33PM +0100, Fabio Natali wrote:
>> Hi,
>>
>> A quick question re the 'guix system vm' command. When used in
>> combination with '--share=/foo=/bar', the command takes advantage of
>> QEMU's 'virtfs' option to share a folder between the host and the guest.
>>
>> Interestingly, the command makes use of the 'security_model=none'
>> option. An alternative, one that I've seen recommended in some QEMU
>> docs⁰, would be using 'security_model=mapped-xattr'.
>>
>> Is there any particular reason why we're using 'none' instead of
>> 'mapped-xattr'?  The reason I'm asking is because I'm struggling with
>> some permission issues on a shared folder and I'd have a vague intuition
>> (or some hope) that 'mapped-xattr' might be a solution.
>>
> It looks like it was set in April 2014, so it may be time to revisit
> it and see if changing the security_model works.
>
-- 

Re: guix system vm, QEMU, virtfs, and the security_model option

[Fabio Natali]

On 2024-06-02, 09:55 +0300, Efraim Flashner <efraim@flashner.co.il> wrote:
> It looks like it was set in April 2014, so it may be time to revisit
> it and see if changing the security_model works.

Hey Efraim, thanks for getting back to me. Ok, got it, I'll see if I
have time to put together a patch, I'd expect the change in itself not
to be particularly difficult. Thanks, cheers, F.