[Libguestfs] restrict access to host from guestfish
Richard W.M. Jones
rjones at redhat.com
Wed Jul 29 16:30:00 UTC 2015
On Wed, Jul 29, 2015 at 06:32:15PM +0530, Raghu wrote:
> Hi Richard,
>
> guestfish shell has an ability to execute commands on the host such as
>
> !mkdir local
> tgz-out /remote local/remote-data.tar.gz
>
> What is the best way to restrict access to host from guestfish ?
>
> For instance,
>
> - Allow readonly access to host.. i.e., !ls is allowed
> but dont allow !rm or !mkdir
>
> - commands such as tgz-out, or copy-out should be able to access just
> /tmp, but nothing else in host filesystem
>
> Appreciate your guidance on this,
There's no way to do this at the moment, and no concept of a
"restricted shell" in guestfish.
How about running the guestfish command in a container or using a
restrictive SELinux/AppArmor policy?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
More information about the Libguestfs
mailing list