[libvirt] Does libvirt check MCS labels during hot-add disk image ?
Daniel P. Berrange
berrange at redhat.com
Thu Mar 22 10:09:23 UTC 2012
On Thu, Mar 22, 2012 at 09:36:30AM +0530, Onkar N Mahajan wrote:
> Libvirt doesn't care about security during hot add disk images. It even
> accepts addition of disk images of other guest running on the host.
>
> Steps followed to create this scenario :
> Now, try to add vm1's disk image into vm2 - this must not be allowed -
> since for virtualized guest images. Only svirt_t processes with the
> same MCS fields can read/write these images. i.e., for vm2 to access
> vm1's disk image it's MCS label must be 's0:c660,c689'.
>
> Hot addition of vm1's image i.e., /var/lib/libvirt/images/vm1.img is
> successful ( which must not be allowed )
sVirt does not try to stop any host administrator actions. Its goal
is isolate guests from each other. There is nothing wrong with the
scenario you descibe from sVirt's POV. Only one guest is able to
access the disk at a time - the first VM looses access when you
give the disk to the second VM, so there is no security flaw here.
Responsibility for stopping administrator actions like this lies
with the disk locking framework. If you enable the sanlock driver
in libvirt, you would have been prevented from adding the disk
to the second guest, while the host is running
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list