[libvirt] security: the qemu agent command "guest-exec" may cause Insider Access

Peter Krempa pkrempa at redhat.com
Mon Aug 28 07:24:00 UTC 2017

On Sat, Aug 26, 2017 at 01:05:46 +0000, Zhangbo (Oscar) wrote:
> >On Fri, Aug 25, 2017 at 08:52:16 +0000, Zhangbo (Oscar) wrote:
> >> >On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote:


> >If you don't trust the host, don't use it. There's no protection from
> >reading the memory or disk images currently. See [1]. Note that even
> >without the API, root can access all the stuff.
> Thank you very much for the detailed reply, any future plan to solve such problem(host 
> has too high authority to access guests' memory things)? What will be the potential mitigation?

The best mitigation is to not allow unauthorized access to the host. In
other words: if you don't trust your cloud provider, host your stuff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170828/904f5ba6/attachment-0001.sig>

More information about the libvir-list mailing list