Re: [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/16/2013 08:37 AM, Peter Krempa wrote:
> Don't allow guest agent interaction by read-only connections as the
> agent may be mailicious.

s/mailicious/malicious/

> ---
>  src/libvirt.c | 6 ++++++
>  1 file changed, 6 insertions(+)

Do we have any other commands that a read-only connection can use to
interact with a guest agent?  A quick check shows that many other
commands with an AGENT flag already require read-only connections at all
times (such as virDomainReboot, virDomainSendProcessSignal,
virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least
virDomainGetHostname is permitted on a read-only connection with an
allowance for guest agent interaction.

Also, I'm wondering if we also need any work in the ACL framework for
controlling whether a command is permitted to require guest interaction.
 For example, does it make sense to have an ACL that says a guest
shutdown via ACPI is permitted (it does not matter if the guest
responds), but a guest shutdown via the agent should be prevented
(because interacting with the agent of a malicious guest is too risky)?

At any rate, I think we need a v2 that covers all possible agent
interaction commands, if we are going to go with this approach (but the
idea does make sense to me).

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]