On Mon, 7 Mar 2016 15:17:05 +0000 Stefan Hajnoczi <stefanha@xxxxxxxxxx> wrote: > qemu-guest-agent runs inside the guest and replies to RPC commands from > the host. It is used for backups, shutdown, network configuration, etc. > From time to time people have wanted the ability to execute an arbitrary > command inside the guest and return the output. This functionality has > never been merged, probably for the security reason. How's the connection set up. That is, how does it know the commands are coming from the host? And how does it know that the commands from the host is from a trusted source? If the host is compromised, is there anything keeping an intruder from controlling the guest? > > A tracing server that runs inside the guest is comparable to > qemu-guest-agent. As long as the tracing server requires manual > commands to start it and does not run by default, then I think the > security issue can be kept at bay. It's a powerful tool that requires > explicit guest administrator action to enable. This isn't something I would expect to be started by default. My worry is that once it is started, then you open up a connection that can be attached by pretty much anyone. We could make a network socket that only communicates with the host, but even that worries me. I'm worried that the host may have actors that might compromise the system. -- Steve -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
