On Tue, Sep 01, 2020 at 12:11:11PM +0200, Christian Ehrhardt wrote: > On Thu, May 28, 2020 at 12:45 PM Simon Arlott <libvirt@xxxxxxxxxxx> wrote: > > > > The VM does not need read permission for its own sockets to create, > > bind(), listen(), accept() connections or to recv(), send(), etc. on > > those connections. > > > > This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665 > > (virt-aa-helper: disallow VNC socket read permissions), > > but then b6465e1aa49397367a9cd0f27110b9c2280a7385 > > (graphics: introduce new listen type 'socket') > > and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2 > > (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it. > > > > Unless the read permission is omitted, VMs can connect to each other's > > VNC/graphics sockets. snip > And as I said the concern of "VMs can connect to each other" would > only be true if the admin specifies the same path in each of them > intentionally. Protecting against administrator mis-configurations is NOT a goal of the security drivers. We're only aiming to protect against a compromised QEMU in whatever configuration the admin requested. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
