答复: security: the qemu agent command "guest-exec" may cause Insider Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote:
>> Hi all:
>>      The Host Administrator is capable of running any exec in guests via the
>qemu-ga command "guest-exec", eg:
>>
>>         virsh qemu-agent-command test_guest '{"execute": "guest-exec",
>"arguments": {"path": "ifconfig", "arg": [ "eth1", "192.168.0.99" ],"capture-output":
>true } }'
>> {"return":{"pid":12425}}
>>        virsh qemu-agent-command test_guest '{"execute":
>"guest-exec-status", "arguments": { "pid": 12425 } }'
>> {"return":{"exitcode":0,"exited":true}}
>>
>>       The example above just change the guests' ip address, the Administrator
>may also change guests' user password, get sensitive information, etc. which
>causes Insider Access.
>>       The Administrator also can use other commands such as "
>guest-file-open" that also cause Insider Access.
>>
>>       So, how to avoid this security problem, what's your suggestion?
>
>You can use the "--blacklist" facility of qemu-ga to disable APIs you
>don't want to support. Or don't run the guest agent at all.

This works if the qemu-agent inside the guest is installed by us cloud provider. But if the guest
is installed all by the cloud tenant himself, he may not know to add "--blacklist" by default, and 
doesn't notice that his OS is opposed to host attackers. How to solve this problem? It seems that
we have to mitigate the treat on the host side?

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux