[libvirt] 答复: security: the qemu agent command "guest-exec" may cause Insider Access

Martin Kletzander mkletzan at redhat.com
Fri Aug 25 09:56:26 UTC 2017

On Fri, Aug 25, 2017 at 08:52:16AM +0000, Zhangbo (Oscar) wrote:
>>On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote:
>>> Hi all:
>>>      The Host Administrator is capable of running any exec in guests via the
>>qemu-ga command "guest-exec", eg:
>>>         virsh qemu-agent-command test_guest '{"execute": "guest-exec",
>>"arguments": {"path": "ifconfig", "arg": [ "eth1", "" ],"capture-output":
>>true } }'
>>> {"return":{"pid":12425}}
>>>        virsh qemu-agent-command test_guest '{"execute":
>>"guest-exec-status", "arguments": { "pid": 12425 } }'
>>> {"return":{"exitcode":0,"exited":true}}
>>>       The example above just change the guests' ip address, the Administrator
>>may also change guests' user password, get sensitive information, etc. which
>>causes Insider Access.
>>>       The Administrator also can use other commands such as "
>>guest-file-open" that also cause Insider Access.
>>>       So, how to avoid this security problem, what's your suggestion?
>>You can use the "--blacklist" facility of qemu-ga to disable APIs you
>>don't want to support. Or don't run the guest agent at all.
>This works if the qemu-agent inside the guest is installed by us cloud provider. But if the guest
>is installed all by the cloud tenant himself, he may not know to add "--blacklist" by default, and
>doesn't notice that his OS is opposed to host attackers. How to solve this problem? It seems that
>we have to mitigate the treat on the host side?

Compromised host implies all guests to be compromised as well.  You
cannot (currently) protect from this.

>libvir-list mailing list
>libvir-list at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170825/b3da16c7/attachment-0001.sig>

More information about the libvir-list mailing list