On Mon, 7 Mar 2016 09:10:10 -0700 Eric Blake <eblake@xxxxxxxxxx> wrote: > On 03/07/2016 08:49 AM, Steven Rostedt wrote: > > On Mon, 7 Mar 2016 15:17:05 +0000 > > Stefan Hajnoczi <stefanha@xxxxxxxxxx> wrote: > > > > > >> qemu-guest-agent runs inside the guest and replies to RPC commands from > >> the host. It is used for backups, shutdown, network configuration, etc. > >> From time to time people have wanted the ability to execute an arbitrary > >> command inside the guest and return the output. This functionality has > >> never been merged, probably for the security reason. > > > > How's the connection set up. That is, how does it know the commands are > > coming from the host? And how does it know that the commands from the > > host is from a trusted source? If the host is compromised, is there > > anything keeping an intruder from controlling the guest? > > qemu-guest-agent uses a virtio channel, so only the host can be driving > that channel. But how can a guest know that it trusts the host? It > can't. A compromised host implicitly compromises all guests, and that's > always been the case. At least qemu-guest-agent doesn't make the window > any larger. > I should have been a bit more clear about what I meant by "host is compromised". I should have asked, what about untrusted tasks on the host. Is the channel protected where only admin users can access it? Of course, one of my concerns with the trace-cmd server is that it may require a network connection, because doesn't a virtio channel require to be initialized at boot up? Where the host must have an active listener when the guest starts? Or am I thinking about something else. -- Steve -- To unsubscribe from this list: send the line "unsubscribe linux-trace-users" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
|