Re: New QEMU daemon for persistent reservations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/09/2017 17:23, Daniel P. Berrange wrote:
>> On the other hand, the daemon has CAP_SYS_RAWIO and CAP_SYS_ADMIN, so if
>> you get memory corruption all bets are probably off anyway.
> That's where the benefit of strict selinux labelling comes in. If we had
> strict labelling of the individual paths below the device, then even if
> the daemon got corrupted, the policy would prevent it from doing any
> damage to the system beyond calling ioctl() the individual paths it had
> been granted. It wouldn't be able to access devices associated with
> the host OS mounts, or other non-VM related or non-multipath related
> block devices.

Sure, but those capabilities let you do a lot of nasty things
indirectly, even within the constraints of the SELinux policy.

For example, if you are able to reconfigure device mapper, you can
convince the kernel to write to any block device---even if you cannot
open it.  IDWEFAL (I don't write exploits for a living) but I'm sure
that's just scraping the surface.

Paolo

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux