[libvirt] 答复: security: the qemu agent command "guest-exec" may cause Insider Access

Peter Krempa pkrempa at redhat.com
Fri Aug 25 10:04:06 UTC 2017

On Fri, Aug 25, 2017 at 08:52:16 +0000, Zhangbo (Oscar) wrote:
> >On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote:


> >>       The Administrator also can use other commands such as "
> >guest-file-open" that also cause Insider Access.
> >>
> >>       So, how to avoid this security problem, what's your suggestion?
> >
> >You can use the "--blacklist" facility of qemu-ga to disable APIs you
> >don't want to support. Or don't run the guest agent at all.
> This works if the qemu-agent inside the guest is installed by us cloud provider. But if the guest
> is installed all by the cloud tenant himself, he may not know to add "--blacklist" by default, and 
> doesn't notice that his OS is opposed to host attackers. How to solve this problem? It seems that
> we have to mitigate the treat on the host side?

That premise is silly. Adding protection from the host on the host side
does not make sense, since the host admin can always change it.

You can avoid adding the guest agent channel though completely. On the
guest, you can e.g. not install the guest agent.

If you don't trust the host, don't use it. There's no protection from
reading the memory or disk images currently. See [1]. Note that even
without the API, root can access all the stuff.

[1]: http://libvirt.org/html/libvirt-libvirt-domain.html#virDomainMemoryPeek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170825/7e2d4065/attachment-0001.sig>

More information about the libvir-list mailing list