On Tue, Jul 16, 2013 at 09:46:49AM -0600, Eric Blake wrote: > On 07/16/2013 08:37 AM, Peter Krempa wrote: > > Don't allow guest agent interaction by read-only connections as the > > agent may be mailicious. > > s/mailicious/malicious/ > > > --- > > src/libvirt.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > Do we have any other commands that a read-only connection can use to > interact with a guest agent? A quick check shows that many other > commands with an AGENT flag already require read-only connections at all > times (such as virDomainReboot, virDomainSendProcessSignal, > virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least > virDomainGetHostname is permitted on a read-only connection with an > allowance for guest agent interaction. > > Also, I'm wondering if we also need any work in the ACL framework for > controlling whether a command is permitted to require guest interaction. > For example, does it make sense to have an ACL that says a guest > shutdown via ACPI is permitted (it does not matter if the guest > responds), but a guest shutdown via the agent should be prevented > (because interacting with the agent of a malicious guest is too risky)? > > At any rate, I think we need a v2 that covers all possible agent > interaction commands, if we are going to go with this approach (but the > idea does make sense to me). Yes, the ACL code is intended to obsolete the read-only flag. So anything that can be expressed with the read-only flag, must also be doable using the ACLs. We don't want to end up with one ACL permission for every guest agent command though. I think it would be sufficient to just use the generic domani 'write' permission bit to enforce this. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list