From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59042) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1acwuG-00036U-Gu for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:17:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1acwuC-00040F-NR for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:17:12 -0500 Received: from mx1.redhat.com ([209.132.183.28]:42514) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1acwuC-000401-IQ for qemu-devel@nongnu.org; Mon, 07 Mar 2016 10:17:08 -0500 Date: Mon, 7 Mar 2016 15:17:05 +0000 From: Stefan Hajnoczi Message-ID: <20160307151705.GD20937@stefanha-x1.localdomain> References: <20160303143501.0edf21a2@redhat.com> <20160304111933.GB626@stefanha-x1.localdomain> <20160304082311.5ccd1a33@gandalf.local.home> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="at6+YcpfzWZg/htY" Content-Disposition: inline In-Reply-To: <20160304082311.5ccd1a33@gandalf.local.home> Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Steven Rostedt Cc: kvm@vger.kernel.org, Stefan Hajnoczi , yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com, qemu-devel@nongnu.org, peterx@redhat.com, Luiz Capitulino , linux-trace-users@vger.kernel.org, pbonzini@redhat.com --at6+YcpfzWZg/htY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 04, 2016 at 08:23:11AM -0500, Steven Rostedt wrote: > The problem I have with the guest server, and something that we may be > able to fix later on, but should always keep it in the back of our > minds, is the security issue. For this to work, the guest server needs > to run as root. It will have an open socket (network or to host), that > will enable tracing on the guest. There needs to be some sort of > verification on that connection to prevent anyone from connecting to it. >=20 > In the protocol for the connection between guest and host, I'll > currently add a "security" feature, that will allow the guest to tell > whomever is connecting to it, what type of security feature it wants. > For now it will be TRACE_CMD_NO_SECURITY. But that will have to change > in the future. qemu-guest-agent runs inside the guest and replies to RPC commands from the host. It is used for backups, shutdown, network configuration, etc. =46rom time to time people have wanted the ability to execute an arbitrary command inside the guest and return the output. This functionality has never been merged, probably for the security reason. A tracing server that runs inside the guest is comparable to qemu-guest-agent. As long as the tracing server requires manual commands to start it and does not run by default, then I think the security issue can be kept at bay. It's a powerful tool that requires explicit guest administrator action to enable. Stefan --at6+YcpfzWZg/htY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJW3ZtxAAoJEJykq7OBq3PICp8H/A2RmCoiuGnAzGg01sa4aF4t qCBjGxQ2aq8g4vPksxbLtAAVRnR96Uc/+m+EgRBIWs1wUoHrY/KETW+1O7wocCs6 AGW7/TyiXBuJ7DOumT5FPR7nZR7bN/8Ak9yqZZRn0s+WfVfh774zEgVbtU3Lz0Og OeElLhQZ0s0pLQYdXKyvYjRtCvl/uk5YkT4AHyhpP5VpGEtuQkSxtDdq6l8/viEb a/URjbZEdW504EhPgqWzjJTRv4jZS4Oh0VZl7jncNgHoSu48eEJgUO48o8rofLyn ByGTMMkPsczIBiSU+l91XuvXww1pnE3z8vrsRzBOpcV+QqZXSexNkQzigVAv31I= =Qx2F -----END PGP SIGNATURE----- --at6+YcpfzWZg/htY--