>On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote: >> Hi all: >> The Host Administrator is capable of running any exec in guests via the >qemu-ga command "guest-exec", eg: >> >> virsh qemu-agent-command test_guest '{"execute": "guest-exec", >"arguments": {"path": "ifconfig", "arg": [ "eth1", "192.168.0.99" ],"capture-output": >true } }' >> {"return":{"pid":12425}} >> virsh qemu-agent-command test_guest '{"execute": >"guest-exec-status", "arguments": { "pid": 12425 } }' >> {"return":{"exitcode":0,"exited":true}} >> >> The example above just change the guests' ip address, the Administrator >may also change guests' user password, get sensitive information, etc. which >causes Insider Access. >> The Administrator also can use other commands such as " >guest-file-open" that also cause Insider Access. >> >> So, how to avoid this security problem, what's your suggestion? > >You can use the "--blacklist" facility of qemu-ga to disable APIs you >don't want to support. Or don't run the guest agent at all. This works if the qemu-agent inside the guest is installed by us cloud provider. But if the guest is installed all by the cloud tenant himself, he may not know to add "--blacklist" by default, and doesn't notice that his OS is opposed to host attackers. How to solve this problem? It seems that we have to mitigate the treat on the host side? -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list