From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50110) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1acxje-0005YN-3o for qemu-devel@nongnu.org; Mon, 07 Mar 2016 11:10:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1acxjY-0004C3-IZ for qemu-devel@nongnu.org; Mon, 07 Mar 2016 11:10:18 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59366) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1acxjY-0004BU-Bw for qemu-devel@nongnu.org; Mon, 07 Mar 2016 11:10:12 -0500 References: <20160303143501.0edf21a2@redhat.com> <20160304111933.GB626@stefanha-x1.localdomain> <20160304082311.5ccd1a33@gandalf.local.home> <20160307151705.GD20937@stefanha-x1.localdomain> <20160307104924.1871dbdb@gandalf.local.home> From: Eric Blake Message-ID: <56DDA7E2.3050506@redhat.com> Date: Mon, 7 Mar 2016 09:10:10 -0700 MIME-Version: 1.0 In-Reply-To: <20160307104924.1871dbdb@gandalf.local.home> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="GxHHOqXcvx9g6heFUdgEANafeUVOCMiQX" Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Steven Rostedt , Stefan Hajnoczi Cc: kvm@vger.kernel.org, Stefan Hajnoczi , yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com, qemu-devel@nongnu.org, peterx@redhat.com, Luiz Capitulino , linux-trace-users@vger.kernel.org, pbonzini@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GxHHOqXcvx9g6heFUdgEANafeUVOCMiQX Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/07/2016 08:49 AM, Steven Rostedt wrote: > On Mon, 7 Mar 2016 15:17:05 +0000 > Stefan Hajnoczi wrote: >=20 >=20 >> qemu-guest-agent runs inside the guest and replies to RPC commands fro= m >> the host. It is used for backups, shutdown, network configuration, et= c. >> From time to time people have wanted the ability to execute an arbitra= ry >> command inside the guest and return the output. This functionality ha= s >> never been merged, probably for the security reason. >=20 > How's the connection set up. That is, how does it know the commands are= > coming from the host? And how does it know that the commands from the > host is from a trusted source? If the host is compromised, is there > anything keeping an intruder from controlling the guest? qemu-guest-agent uses a virtio channel, so only the host can be driving that channel. But how can a guest know that it trusts the host? It can't. A compromised host implicitly compromises all guests, and that's always been the case. At least qemu-guest-agent doesn't make the window any larger. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --GxHHOqXcvx9g6heFUdgEANafeUVOCMiQX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJW3afiAAoJEKeha0olJ0NqVOoH/01da58qtntL6C5lTwk+8GAF TuBuZ+BZoJ4J1Kq4oifMPC59npBJCkwrCWUIt7JH7mlzCCkflo7VgnHzOmftNwxh rjvSexptV63oasbsTytRn2qKUmegYwpzz/eFNTJfXgOqZHzwvxNlFqU1myjzwcjG DieMcAlW2dcqmuGcrUQJdhWBhGD9JXxNpFRsEIF0wy4xspFS66/G+ncsPtw0ZEGC hqktBcU6LHQ8EzCTOLmExP0V4WUtMJcP+DYI9PCaMPxjf/xZSjeoDV/XSvZ95Os5 iPCHCemlDqG0pgRlR70ypi0dXXGFZXiTJlryY6sHCcRPF6XLOTjCKTn2MIs3PHw= =xVRf -----END PGP SIGNATURE----- --GxHHOqXcvx9g6heFUdgEANafeUVOCMiQX--