From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43525)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rostedt@goodmis.org>) id 1acxPa-0006WZ-CF
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:49:38 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rostedt@goodmis.org>) id 1acxPW-0005sv-9J
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:49:34 -0500
Received: from smtprelay0160.hostedemail.com ([216.40.44.160]:35115
	helo=smtprelay.hostedemail.com)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rostedt@goodmis.org>) id 1acxPW-0005sR-4e
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:49:30 -0500
Date: Mon, 7 Mar 2016 10:49:24 -0500
From: Steven Rostedt <rostedt@goodmis.org>
Message-ID: <20160307104924.1871dbdb@gandalf.local.home>
In-Reply-To: <20160307151705.GD20937@stefanha-x1.localdomain>
References: <20160303143501.0edf21a2@redhat.com>
	<20160304111933.GB626@stefanha-x1.localdomain>
	<20160304082311.5ccd1a33@gandalf.local.home>
	<20160307151705.GD20937@stefanha-x1.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: kvm@vger.kernel.org, Stefan Hajnoczi <stefanha@gmail.com>, yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com, qemu-devel@nongnu.org, peterx@redhat.com, Luiz Capitulino <lcapitulino@redhat.com>, linux-trace-users@vger.kernel.org, pbonzini@redhat.com

On Mon, 7 Mar 2016 15:17:05 +0000
Stefan Hajnoczi <stefanha@redhat.com> wrote:


> qemu-guest-agent runs inside the guest and replies to RPC commands from
> the host.  It is used for backups, shutdown, network configuration, etc.
> From time to time people have wanted the ability to execute an arbitrary
> command inside the guest and return the output.  This functionality has
> never been merged, probably for the security reason.

How's the connection set up. That is, how does it know the commands are
coming from the host? And how does it know that the commands from the
host is from a trusted source? If the host is compromised, is there
anything keeping an intruder from controlling the guest?

> 
> A tracing server that runs inside the guest is comparable to
> qemu-guest-agent.  As long as the tracing server requires manual
> commands to start it and does not run by default, then I think the
> security issue can be kept at bay.  It's a powerful tool that requires
> explicit guest administrator action to enable.

This isn't something I would expect to be started by default. My worry
is that once it is started, then you open up a connection that can be
attached by pretty much anyone. We could make a network socket that
only communicates with the host, but even that worries me. I'm worried
that the host may have actors that might compromise the system.

-- Steve