From: Paolo Bonzini <pbonzini@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>, Eric Blake <eblake@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
kvm@vger.kernel.org, Stefan Hajnoczi <stefanha@gmail.com>,
yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com,
qemu-devel@nongnu.org, peterx@redhat.com,
Luiz Capitulino <lcapitulino@redhat.com>,
linux-trace-users@vger.kernel.org
Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging
Date: Mon, 7 Mar 2016 18:13:52 +0100 [thread overview]
Message-ID: <56DDB6D0.7020308@redhat.com> (raw)
In-Reply-To: <20160307112627.3b94c671@gandalf.local.home>
On 07/03/2016 17:26, Steven Rostedt wrote:
> > > How's the connection set up. That is, how does it know the commands are
> > > coming from the host? And how does it know that the commands from the
> > > host is from a trusted source? If the host is compromised, is there
> > > anything keeping an intruder from controlling the guest?
> >
> > qemu-guest-agent uses a virtio channel, so only the host can be driving
> > that channel. But how can a guest know that it trusts the host? It
> > can't. A compromised host implicitly compromises all guests, and that's
> > always been the case. At least qemu-guest-agent doesn't make the window
> > any larger.
>
> I should have been a bit more clear about what I meant by "host is
> compromised". I should have asked, what about untrusted tasks on the
> host. Is the channel protected where only admin users can access it?
The other side of the channel is typically a socket or a pty, so it's
protected by file permissions, SELinux, and the like.
Paolo
WARNING: multiple messages have this Message-ID (diff)
From: Paolo Bonzini <pbonzini@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>, Eric Blake <eblake@redhat.com>
Cc: kvm@vger.kernel.org, Stefan Hajnoczi <stefanha@gmail.com>,
yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com,
qemu-devel@nongnu.org, peterx@redhat.com,
Luiz Capitulino <lcapitulino@redhat.com>,
linux-trace-users@vger.kernel.org,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging
Date: Mon, 7 Mar 2016 18:13:52 +0100 [thread overview]
Message-ID: <56DDB6D0.7020308@redhat.com> (raw)
In-Reply-To: <20160307112627.3b94c671@gandalf.local.home>
On 07/03/2016 17:26, Steven Rostedt wrote:
> > > How's the connection set up. That is, how does it know the commands are
> > > coming from the host? And how does it know that the commands from the
> > > host is from a trusted source? If the host is compromised, is there
> > > anything keeping an intruder from controlling the guest?
> >
> > qemu-guest-agent uses a virtio channel, so only the host can be driving
> > that channel. But how can a guest know that it trusts the host? It
> > can't. A compromised host implicitly compromises all guests, and that's
> > always been the case. At least qemu-guest-agent doesn't make the window
> > any larger.
>
> I should have been a bit more clear about what I meant by "host is
> compromised". I should have asked, what about untrusted tasks on the
> host. Is the channel protected where only admin users can access it?
The other side of the channel is typically a socket or a pty, so it's
protected by file permissions, SELinux, and the like.
Paolo
next prev parent reply other threads:[~2016-03-07 17:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-03 19:35 [RFC] host and guest kernel trace merging Luiz Capitulino
2016-03-03 19:35 ` [Qemu-devel] " Luiz Capitulino
2016-03-04 11:19 ` Stefan Hajnoczi
2016-03-04 13:23 ` Steven Rostedt
2016-03-04 13:23 ` Steven Rostedt
2016-03-04 13:23 ` Steven Rostedt
2016-03-07 15:17 ` [Qemu-devel] " Stefan Hajnoczi
2016-03-07 15:17 ` Stefan Hajnoczi
2016-03-07 15:49 ` Steven Rostedt
2016-03-07 15:49 ` Steven Rostedt
2016-03-07 16:10 ` Eric Blake
2016-03-07 16:26 ` Steven Rostedt
2016-03-07 16:26 ` Steven Rostedt
2016-03-07 17:13 ` Paolo Bonzini [this message]
2016-03-07 17:13 ` Paolo Bonzini
2016-03-24 5:16 ` Peter Xu
2016-03-24 5:16 ` Peter Xu
2016-03-24 13:02 ` Luiz Capitulino
2016-03-24 13:02 ` Luiz Capitulino
2016-03-25 1:53 ` Peter Xu
2016-03-25 1:53 ` Peter Xu
2016-03-24 8:42 ` Peter Xu
2016-03-24 8:42 ` Peter Xu
2016-03-24 10:13 ` Stefan Hajnoczi
2016-03-24 10:13 ` Stefan Hajnoczi
2016-03-25 2:22 ` Peter Xu
2016-03-25 2:22 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DDB6D0.7020308@redhat.com \
--to=pbonzini@redhat.com \
--cc=eblake@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=lcapitulino@redhat.com \
--cc=linux-trace-users@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rostedt@goodmis.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
--cc=yoshihiro.yunomae.ez@hitachi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.