[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC] host and guest kernel trace merging
From: |
Steven Rostedt |
Subject: |
Re: [Qemu-devel] [RFC] host and guest kernel trace merging |
Date: |
Mon, 7 Mar 2016 11:26:27 -0500 |
On Mon, 7 Mar 2016 09:10:10 -0700
Eric Blake <address@hidden> wrote:
> On 03/07/2016 08:49 AM, Steven Rostedt wrote:
> > On Mon, 7 Mar 2016 15:17:05 +0000
> > Stefan Hajnoczi <address@hidden> wrote:
> >
> >
> >> qemu-guest-agent runs inside the guest and replies to RPC commands from
> >> the host. It is used for backups, shutdown, network configuration, etc.
> >> From time to time people have wanted the ability to execute an arbitrary
> >> command inside the guest and return the output. This functionality has
> >> never been merged, probably for the security reason.
> >
> > How's the connection set up. That is, how does it know the commands are
> > coming from the host? And how does it know that the commands from the
> > host is from a trusted source? If the host is compromised, is there
> > anything keeping an intruder from controlling the guest?
>
> qemu-guest-agent uses a virtio channel, so only the host can be driving
> that channel. But how can a guest know that it trusts the host? It
> can't. A compromised host implicitly compromises all guests, and that's
> always been the case. At least qemu-guest-agent doesn't make the window
> any larger.
>
I should have been a bit more clear about what I meant by "host is
compromised". I should have asked, what about untrusted tasks on the
host. Is the channel protected where only admin users can access it?
Of course, one of my concerns with the trace-cmd server is that it may
require a network connection, because doesn't a virtio channel require
to be initialized at boot up? Where the host must have an active
listener when the guest starts? Or am I thinking about something else.
-- Steve
Re: [Qemu-devel] [RFC] host and guest kernel trace merging, Peter Xu, 2016/03/24