From: Anthony Liguori <anthony@codemonkey.ws>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: Paul Brook <paul@codesourcery.com>,
Alexandre Bique <bique.alexandre@gmail.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2
Date: Wed, 08 Jul 2009 12:20:59 -0500 [thread overview]
Message-ID: <4A54D57B.8080603@codemonkey.ws> (raw)
In-Reply-To: <19028.50372.333318.144669@mariner.uk.xensource.com>
Ian Jackson wrote:
> Anthony Liguori writes ("Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2"):
>
>> No need for a switch IMHO. If a user is doing pass through, they ought
>> to expect that the guest has direct access to the device.
>>
>
> The firmware of an IDE device can usually take over complete the
> control of the host, if it chooses to and knows how. So upgrading the
> firmware on the device is a lot more serious than just being able to
> break the device. It would allow the guest to escape containment.
>
> So this definitely needs to be disabled by default.
>
Pass through == escape containment.
That's generally true (even with VT-d). There's all sorts of bad things
you can do generating interrupt storms or physically bricking hardware.
> I disagree entirely. The qemu process inevitably has access to an
> enormous amount of stuff that the guest shouldn't have, and in most
> cases users don't even run it as a different user.
>
> Or are you suggesting qemu should always be run in a chroot ?
As a lesser privileged user or as root heavily restricted by SELinux, yes.
> Or a VM
> perhaps ? qemu only safe run under Xen PV ? I don't think the KVM
> guys are really going to like that as a security policy ...
>
It's about layers of security. If you design your security assuming
that QEMU is safe, you're taking a much bigger risk than if you assume
QEMU is hostile.
>> I'm sure something like SELinux can be used to prevent a root QEMU
>> process from doing a firmware upgrade.
>>
>
> *boggle* You're not serious, are you ?
>
Yes, I'm actually a fan of SELinux in the context of a dedicated
virtualization system.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2009-07-08 17:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-01 18:31 [Qemu-devel] [PATCH 0/5] ATAPI pass through v2 Bique Alexandre
2009-07-07 20:03 ` Stuart Brady
2009-07-07 21:21 ` Alexandre Bique
2009-07-07 22:44 ` Paul Brook
2009-07-07 22:50 ` Alexandre Bique
2009-07-07 23:01 ` Anthony Liguori
2009-07-07 23:15 ` Stuart Brady
2009-07-08 16:09 ` Ian Jackson
2009-07-08 16:38 ` Avi Kivity
2009-07-08 17:28 ` Carl-Daniel Hailfinger
2009-07-08 18:03 ` Anthony Liguori
2009-07-08 18:09 ` Avi Kivity
2009-07-08 17:20 ` Anthony Liguori [this message]
2009-07-08 17:48 ` Vincent Hanquez
2009-07-08 18:06 ` Anthony Liguori
2009-07-07 22:58 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A54D57B.8080603@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=Ian.Jackson@eu.citrix.com \
--cc=bique.alexandre@gmail.com \
--cc=paul@codesourcery.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).