On 01/05/2012 06:49 AM, KAMEZAWA Hiroyuki wrote:
Hmm, won't this force admins to rewrite their domain definitions ? Some admin may need to reflesh 100s of domain defintions when he upgrade distro... How about <disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO on --> <disk type='block' device='sdisk' dev='/dev/sda'> <!-- SG_IO off --> (sdisk = secure disk) and make 'sdisk' as default ?
We believe that most sites are not passing entire disks, and thus cannot anyway use SG_IO. That is because you need special precautions when passing entire disks (for example to avoid that LVM scans them for volume groups). If you're not passing an entire disk to the VM, disabling SG_IO by default will protect you against CVE-2011-4127.
Even if you *are* passing an entire disk (for example an iSCSI share), it's relatively rare that you need SG_IO access.
Making your proposed 'sdisk' the default does not help, because usually the .xml files that libvirt stores include all attributes even when they have a default value. See also the ideas I posted recently for extended SCSI support to see why it is important to distinguish 'lun' on one side from 'disk' and 'cdrom' on the other: in the SCSI case you can have a passthrough disk, an emulated hard disk or an emulated CD-ROM. Something like 'sdisk' would not extend easily to the SCSI case.
This is why we are explicitly requiring administrators to opt into the SG_IO feature. We know that this can be a nuisance in some scenarios, but those are the minority and it is better if everybody enjoys more security by default.
Paolo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list