Re: [Qemu-devel] [PATCH v2 3/3] Add rate limiting of RTC_CHANGE, BALLOON_CHANGE & WATCHDOG events

["Daniel P. Berrange" <berrange@redhat.com>]

On Wed, May 30, 2012 at 03:50:37PM -0300, Luiz Capitulino wrote:
> On Mon, 21 May 2012 17:59:53 +0100
> "Daniel P. Berrange" <berrange@redhat.com> wrote:

> > +/* Global, one-time initializer to configure the rate limiting
> > + * and initialize state */
> > +static void monitor_protocol_event_init(void)
> > +{
> > +    qemu_mutex_init(&monitor_event_state_lock);
> > +    /* Limit RTC & BALLOON events to 1 per second */
> > +    monitor_protocol_event_throttle(QEVENT_RTC_CHANGE, 1000);
> > +    monitor_protocol_event_throttle(QEVENT_BALLOON_CHANGE, 1000);
> > +    monitor_protocol_event_throttle(QEVENT_WATCHDOG, 1000);
> 
> What about SUSPENDED and BLOCK_IO_ERROR? Couldn't the former be also
> used by a malicious guest to cause a DoS? The former is already emitted
> several times for virtio.

This can't be used to filter BLOCK_IO_ERROR, since that event
contains per-device state information. Filtering this would
need to be done in the block layer, so it can done per device.

I don't think SUSPEND can be used to DoS, since once the VM
is in the suspend state, a monitor command is required to wake
it up again before the guest OS can trigger a new suspend.

> > @@ -4564,6 +4709,11 @@ static void sortcmdlist(void)
> >   * End:
> >   */
> >  
> > +void monitor_global_init(void)
> > +{
> 
> It's better to call it monitor_early_init() (or monitor_init_early()).

Hmm, I chose this name because wanted to make it clear
that this applied to all monitor instances, vs monitor_init
which is per-monitor.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|