[PATCH v2] virt-aa-helper: disallow graphics socket read permissions
Daniel P. Berrangé
berrange at redhat.com
Tue Sep 1 10:19:33 UTC 2020
On Tue, Sep 01, 2020 at 12:11:11PM +0200, Christian Ehrhardt wrote:
> On Thu, May 28, 2020 at 12:45 PM Simon Arlott <libvirt at octiron.net> wrote:
> >
> > The VM does not need read permission for its own sockets to create,
> > bind(), listen(), accept() connections or to recv(), send(), etc. on
> > those connections.
> >
> > This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
> > (virt-aa-helper: disallow VNC socket read permissions),
> > but then b6465e1aa49397367a9cd0f27110b9c2280a7385
> > (graphics: introduce new listen type 'socket')
> > and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
> > (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it.
> >
> > Unless the read permission is omitted, VMs can connect to each other's
> > VNC/graphics sockets.
snip
> And as I said the concern of "VMs can connect to each other" would
> only be true if the admin specifies the same path in each of them
> intentionally.
Protecting against administrator mis-configurations is NOT a goal
of the security drivers. We're only aiming to protect against a
compromised QEMU in whatever configuration the admin requested.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list