[libvirt-users] QEMU guest-agent safety in hostile VM?
Daniel P. Berrangé
berrange at redhat.com
Wed Feb 28 18:23:47 UTC 2018
On Wed, Feb 28, 2018 at 06:11:52PM +0000, procmem wrote:
> Hi. Is it still considered risky to use the QEMU guest agent in an
> untrusted guest? A warning on these lines was written in the manual a
> few years back when the feature made its debut. I wanted to know if it
> was hardened since.
Anything running on the host that relies on the guest agent needs to be
written to expect a hostile agent. The agent may simply never respond
to commands, or may return you completely garbage data. There's nothing
we can do to prevent this, since the guest agent is under the guest OS
admin's control. So host apps/admins need to be super-paranoid when
dealing with / interpreting any response.
Libvirt should at least take care of parsing the response and timing
out if it doesn't reply in time. We can't guarantee the info libvirt
gets back is sane though.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvirt-users
mailing list