[libvirt] [PATCH 0/2] qemu: add new disk type='lun' for bus='virtio'
Laine Stump
laine at laine.org
Thu Dec 22 18:39:30 UTC 2011
These two patches are in response to CVE-2011-4127:
http://seclists.org/oss-sec/2011/q4/536
Once the kernel security fix and corresponding qemu mitigation patch
are in place, access to SG_IO commands from qemu guests will be
disabled by default. This patch series provides a way to explicitly
enable such support when it is required.
In a discussion just before sending this patch series, Paolo Bonzini
wondered if rather than the xml syntax being what's proposed
here:
<disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off -->
<disk type='lun' device='disk' dev='/dev/sda'> <!-- SG_IO on -->
maybe it should instead be:
<disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off -->
<disk type='block' device='lun' dev='/dev/sda'> <!-- SG_IO on -->
I guess it partly depends on whether we would ever want to turn on
SG_IO for a disk with device='cdrom|floppy' vs. if we would ever want
to turn it on for type='file|dir|network'.
Opinions?
More information about the libvir-list
mailing list