From: Gleb Natapov <gleb@redhat.com>
To: Wen Congyang <wency@cn.fujitsu.com>
Cc: kvm list <kvm@vger.kernel.org>,
Jan Kiszka <jan.kiszka@siemens.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
qemu-devel <qemu-devel@nongnu.org>, Avi Kivity <avi@redhat.com>,
Amit Shah <amit.shah@redhat.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Subject: Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked
Date: Wed, 14 Mar 2012 13:11:40 +0200 [thread overview]
Message-ID: <20120314111140.GY2304@redhat.com> (raw)
In-Reply-To: <4F607BCA.5090506@cn.fujitsu.com>
On Wed, Mar 14, 2012 at 07:06:50PM +0800, Wen Congyang wrote:
> At 03/14/2012 06:59 PM, Daniel P. Berrange Wrote:
> > On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
> >> At 03/14/2012 06:52 PM, Avi Kivity Wrote:
> >>> On 03/14/2012 12:52 PM, Wen Congyang wrote:
> >>>>>
> >>>>>> If so, is this channel visible to guest userspace? If the channle is visible to guest
> >>>>>> userspace, the program running in userspace may write the same message to the channel.
> >>>>>
> >>>>> Access control is via permissions. You can have udev scripts assign
> >>>>> whatever uid and gid to the port of your interest. By default, all
> >>>>> ports are only accessible to the root user.
> >>>>
> >>>> We should also prevent root user writing message to this channel if it is
> >>>> used for panicked notification.
> >>>>
> >>>
> >>> Why? root can easily cause a panic.
> >>>
> >>
> >> root user can write the same message to virtio-serial while the guest is running...
> >
> > Unless you are running a MAC policy which strictly confines the root
> > account, root can cause a kernel panic regardless of virtio-serial
> > permissions in the guest:
> >
> > echo c > /proc/sysrq-trigger
>
> Yes, root user can cause a kernel panic. But if he writes the same message to virtio-serial,
> the host will see the guest is panicked while the guest is not panicked. The host is cheated.
>
And why is this a problem? If root in a guest wants to cheat host like
that there is no way to stop him. He can load kernel module and do
whatever he wants. Management should treat that condition as if guest
panicked.
> If we use vmcall, and the user causes a kernel panic, we can also know the guest is panicked.
> It is the thing what we need. We need to know the guest is panicked, and we donot aware
> why it is panicked. If the guest is not panicked, and the host think the guest is panicked, it
> is not the thing we need.
>
Then you cannot get the thing you need and you can as well stop trying.
--
Gleb.
next prev parent reply other threads:[~2012-03-14 11:12 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-08 7:57 [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked Wen Congyang
2012-03-08 8:02 ` [Qemu-devel] [PATCH 1/2 " Wen Congyang
2012-03-08 8:04 ` [Qemu-devel] [PATCH 2/2 v3] kvm: set exit_reason to KVM_EXIT_GUEST_PANICKED " Wen Congyang
2012-03-08 8:06 ` [Qemu-devel] [PATCH 1/2 v3] update linux-headers Wen Congyang
2012-03-08 8:07 ` [Qemu-devel] [PATCH 2/2 v3] deal with guest panicked event Wen Congyang
2012-03-08 10:08 ` Jan Kiszka
2012-03-08 10:11 ` Wen Congyang
2012-03-08 10:15 ` [Qemu-devel] [RESEND][PATCH " Wen Congyang
2012-03-08 11:28 ` Avi Kivity
2012-03-08 11:36 ` Daniel P. Berrange
2012-03-08 11:52 ` Avi Kivity
2012-03-08 11:56 ` Daniel P. Berrange
2012-03-09 22:22 ` Marcelo Tosatti
2012-03-21 19:01 ` Anthony Liguori
2012-03-12 1:46 ` Wen Congyang
2012-03-08 11:13 ` [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked Avi Kivity
2012-03-09 1:21 ` Wen Congyang
2012-03-12 9:04 ` Wen Congyang
2012-03-12 10:33 ` Avi Kivity
2012-03-13 6:44 ` Wen Congyang
2012-03-13 8:54 ` Avi Kivity
2012-03-13 9:18 ` Daniel P. Berrange
2012-03-13 10:47 ` Avi Kivity
2012-03-14 8:29 ` Wen Congyang
2012-03-14 9:24 ` Avi Kivity
2012-03-14 9:53 ` Wen Congyang
2012-03-14 10:07 ` Avi Kivity
2012-03-14 10:26 ` Wen Congyang
2012-03-14 10:29 ` Avi Kivity
2012-03-14 10:46 ` Gleb Natapov
2012-03-14 10:48 ` Avi Kivity
2012-03-14 11:11 ` Wen Congyang
2012-03-14 13:07 ` Avi Kivity
2012-03-14 13:13 ` Avi Kivity
2012-03-14 13:14 ` Gleb Natapov
2012-03-14 13:16 ` Avi Kivity
2012-03-14 13:25 ` Gleb Natapov
2012-03-14 18:46 ` Eric Northup
2012-03-15 7:01 ` Wen Congyang
2012-03-15 10:39 ` Gleb Natapov
2012-03-15 11:25 ` Jan Kiszka
2012-03-15 11:46 ` Avi Kivity
2012-03-16 8:05 ` Wen Congyang
2012-03-21 19:12 ` Anthony Liguori
2012-03-22 8:34 ` Wen Congyang
2012-03-14 18:47 ` Eric Northup
2012-03-14 10:37 ` Amit Shah
2012-03-14 10:52 ` Wen Congyang
2012-03-14 10:52 ` Gleb Natapov
2012-03-14 10:57 ` Wen Congyang
2012-03-14 10:58 ` Gleb Natapov
2012-03-14 11:13 ` Wen Congyang
2012-03-14 10:52 ` Avi Kivity
2012-03-14 10:58 ` Wen Congyang
2012-03-14 10:59 ` Daniel P. Berrange
2012-03-14 11:06 ` Wen Congyang
2012-03-14 11:11 ` Gleb Natapov [this message]
2012-03-14 11:17 ` Daniel P. Berrange
2012-03-14 10:59 ` Gleb Natapov
2012-03-14 10:57 ` Amit Shah
2012-03-14 9:51 ` Amit Shah
2012-03-14 10:04 ` Wen Congyang
2012-03-14 10:08 ` Avi Kivity
2012-03-14 10:40 ` Amit Shah
2012-03-14 10:42 ` Gleb Natapov
2012-03-14 10:57 ` Daniel P. Berrange
2012-03-14 11:01 ` Wen Congyang
2012-03-21 19:04 ` Anthony Liguori
2012-03-22 7:33 ` Gleb Natapov
2012-03-12 10:31 ` Avi Kivity
2012-03-19 7:33 ` Wen Congyang
2012-03-20 9:59 ` Wen Congyang
2012-03-20 15:45 ` Gleb Natapov
2012-03-21 0:56 ` Wen Congyang
2012-03-21 9:11 ` Gleb Natapov
2012-03-21 9:35 ` Wen Congyang
2012-03-21 9:42 ` Gleb Natapov
2012-03-21 16:18 ` Corey Minyard
2012-03-21 16:24 ` Gleb Natapov
2012-03-21 16:25 ` Avi Kivity
2012-03-21 17:04 ` Daniel P. Berrange
2012-03-21 17:34 ` Avi Kivity
2012-03-21 18:17 ` Jan Kiszka
2012-03-21 19:19 ` Anthony Liguori
2012-03-22 1:05 ` Wen Congyang
2012-03-22 7:31 ` Gleb Natapov
2012-03-22 7:44 ` Wen Congyang
2012-03-22 8:36 ` Gleb Natapov
2012-03-22 7:28 ` Gleb Natapov
2012-03-22 7:40 ` Wen Congyang
2012-04-02 10:05 ` Wen Congyang
2012-04-02 10:54 ` Amit Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120314111140.GY2304@redhat.com \
--to=gleb@redhat.com \
--cc=amit.shah@redhat.com \
--cc=avi@redhat.com \
--cc=jan.kiszka@siemens.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=qemu-devel@nongnu.org \
--cc=wency@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).