From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41386)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1acyjL-00042n-4k
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 12:14:03 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1acyjH-0005jq-E4
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 12:14:03 -0500
Received: from mx1.redhat.com ([209.132.183.28]:45895)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pbonzini@redhat.com>) id 1acyjH-0005jf-8u
	for qemu-devel@nongnu.org; Mon, 07 Mar 2016 12:13:59 -0500
References: <20160303143501.0edf21a2@redhat.com>
	<20160304111933.GB626@stefanha-x1.localdomain>
	<20160304082311.5ccd1a33@gandalf.local.home>
	<20160307151705.GD20937@stefanha-x1.localdomain>
	<20160307104924.1871dbdb@gandalf.local.home>
	<56DDA7E2.3050506@redhat.com>
	<20160307112627.3b94c671@gandalf.local.home>
From: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <56DDB6D0.7020308@redhat.com>
Date: Mon, 7 Mar 2016 18:13:52 +0100
MIME-Version: 1.0
In-Reply-To: <20160307112627.3b94c671@gandalf.local.home>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC] host and guest kernel trace merging
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Steven Rostedt <rostedt@goodmis.org>, Eric Blake <eblake@redhat.com>
Cc: kvm@vger.kernel.org, Stefan Hajnoczi <stefanha@gmail.com>, yoshihiro.yunomae.ez@hitachi.com, mtosatti@redhat.com, qemu-devel@nongnu.org, peterx@redhat.com, Luiz Capitulino <lcapitulino@redhat.com>, linux-trace-users@vger.kernel.org, Stefan Hajnoczi <stefanha@redhat.com>



On 07/03/2016 17:26, Steven Rostedt wrote:
> > > How's the connection set up. That is, how does it know the commands are
> > > coming from the host? And how does it know that the commands from the
> > > host is from a trusted source? If the host is compromised, is there
> > > anything keeping an intruder from controlling the guest?  
> > 
> > qemu-guest-agent uses a virtio channel, so only the host can be driving
> > that channel.  But how can a guest know that it trusts the host? It
> > can't.  A compromised host implicitly compromises all guests, and that's
> > always been the case.  At least qemu-guest-agent doesn't make the window
> > any larger.
>
> I should have been a bit more clear about what I meant by "host is
> compromised". I should have asked, what about untrusted tasks on the
> host. Is the channel protected where only admin users can access it?

The other side of the channel is typically a socket or a pty, so it's
protected by file permissions, SELinux, and the like.

Paolo