Re: [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 16, 2013 at 09:46:49AM -0600, Eric Blake wrote:
> On 07/16/2013 08:37 AM, Peter Krempa wrote:
> > Don't allow guest agent interaction by read-only connections as the
> > agent may be mailicious.
> 
> s/mailicious/malicious/
> 
> > ---
> >  src/libvirt.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> 
> Do we have any other commands that a read-only connection can use to
> interact with a guest agent?  A quick check shows that many other
> commands with an AGENT flag already require read-only connections at all
> times (such as virDomainReboot, virDomainSendProcessSignal,
> virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least
> virDomainGetHostname is permitted on a read-only connection with an
> allowance for guest agent interaction.
> 
> Also, I'm wondering if we also need any work in the ACL framework for
> controlling whether a command is permitted to require guest interaction.
>  For example, does it make sense to have an ACL that says a guest
> shutdown via ACPI is permitted (it does not matter if the guest
> responds), but a guest shutdown via the agent should be prevented
> (because interacting with the agent of a malicious guest is too risky)?
> 
> At any rate, I think we need a v2 that covers all possible agent
> interaction commands, if we are going to go with this approach (but the
> idea does make sense to me).

Yes, the ACL code is intended to obsolete the read-only flag. So anything
that can be expressed with the read-only flag, must also be doable using
the ACLs.

We don't want to end up with one ACL permission for every guest agent
command though. I think it would be sufficient to just use the generic
domani 'write' permission bit to enforce this.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]