On Thu, Nov 10, 2011 at 11:09 AM, Avi Kivity <avi@xxxxxxxxxx> wrote: > On 11/10/2011 11:04 AM, Sasha Levin wrote: >> On Thu, Nov 10, 2011 at 10:57 AM, Markus Armbruster <armbru@xxxxxxxxxx> wrote: >> > Sasha Levin <levinsasha928@xxxxxxxxx> writes: >> > >> >> On Thu, Nov 10, 2011 at 9:57 AM, Markus Armbruster <armbru@xxxxxxxxxx> wrote: >> > [...] >> >>> Start with a clean read/write raw image. Probing declares it raw. >> >>> Guest writes QCOW signature to it, with a backing file of its choice. >> >>> >> >>> Restart with the same image. Probing declares it QCOW2. Guest can read >> >>> the backing file. Oops. >> >> >> >> Thats an excellent scenario why you'd want to have 'Secure KVM' with >> >> seccomp filters :) >> > >> > Yup. >> > >> > For what it's worth, sVirt (use SELinux to secure virtualization) >> > mitigates the problem. Doesn't mean we couldn't use "Secure KVM". >> >> How does it do it do that? You have a hypervisor trying to read >> arbitrary files on the host FS, no? > > Trying and failing. sVirt will deny access to all files except those > explicitly allowed by libvirt. It still allows the guest to read more than enough files which it shouldn't be reading. Unless you configure sVirt on a per-guest basis... -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
