From: "Daniel P. Berrangé" <berrange@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: P J P <ppandit@redhat.com>,
Qemu Developers <qemu-devel@nongnu.org>,
qemu-ppc@nongnu.org, Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH] ppc: add host-serial and host-model machine attributes
Date: Mon, 4 Feb 2019 10:10:05 +0000 [thread overview]
Message-ID: <20190204101005.GC1905@redhat.com> (raw)
In-Reply-To: <20190204010904.GD2593@umbus.fritz.box>
On Mon, Feb 04, 2019 at 12:09:04PM +1100, David Gibson wrote:
> On Sat, Feb 02, 2019 at 12:23:58AM +0530, P J P wrote:
> > From: Prasad J Pandit <pjp@fedoraproject.org>
> >
> > On ppc hosts, hypervisor shares following system attributes
> >
> > - /proc/device-tree/system-id
> > - /proc/device-tree/model
> >
> > with a guest. This could lead to information leakage and misuse.[*]
> > Add machine attributes to control such system information exposure
> > to a guest.
> >
> > [*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
> >
> > Reported-by: Daniel P. Berrangé <berrange@redhat.com>
> > Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
>
> Hm. This seems like it might be overkill. I mean, obviously we need
> to not leak that host information, but it's not clear we really need
> these properties at all. They're not specified in PAPR (contrary to
> my previous guess) and it's not clear what actually uses them.
>
> I'm wondering if we can just ditch them entirely, or at least make
> them default to not present without regard to machine version.
>
> Yes, that's technically a compatibility breaking change, but it's hard
> to see anything that actually relied on these as not being broken
> already, so I think that's actually a fair trade off for the security
> improvement here.
We cannot assume that no one is using it.
In fact this issue came to light precisely because a person on IRC
was asking why x86 couldn't provide the same info as PPC, because
they found it useful on PPC.
So we will definitely break people if we remove this from existing
VMs.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-02-04 10:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-01 18:53 [Qemu-devel] [PATCH] ppc: add host-serial and host-model machine attributes P J P
2019-02-03 16:10 ` no-reply
2019-02-04 1:09 ` David Gibson
2019-02-04 6:10 ` P J P
2019-02-04 6:14 ` David Gibson
2019-02-04 7:21 ` P J P
2019-02-04 10:10 ` Daniel P. Berrangé [this message]
2019-02-05 5:41 ` David Gibson
2019-02-04 10:16 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190204101005.GC1905@redhat.com \
--to=berrange@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).