On Fri, Aug 25, 2017 at 08:52:16AM +0000, Zhangbo (Oscar) wrote:

On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote:
Hi all:
     The Host Administrator is capable of running any exec in guests via the
qemu-ga command "guest-exec", eg:

        virsh qemu-agent-command test_guest '{"execute": "guest-exec",
"arguments": {"path": "ifconfig", "arg": [ "eth1", "192.168.0.99" 
],"capture-output":
true } }'
{"return":{"pid":12425}}
       virsh qemu-agent-command test_guest '{"execute":
"guest-exec-status", "arguments": { "pid": 12425 } }'
{"return":{"exitcode":0,"exited":true}}

      The example above just change the guests' ip address, the Administrator
may also change guests' user password, get sensitive information, etc. which
causes Insider Access.
      The Administrator also can use other commands such as "
guest-file-open" that also cause Insider Access.

      So, how to avoid this security problem, what's your suggestion?

You can use the "--blacklist" facility of qemu-ga to disable APIs you
don't want to support. Or don't run the guest agent at all.

This works if the qemu-agent inside the guest is installed by us cloud 
provider. But if the guest
is installed all by the cloud tenant himself, he may not know to add 
"--blacklist" by default, and
doesn't notice that his OS is opposed to host attackers. How to solve this 
problem? It seems that
we have to mitigate the treat on the host side?


Compromised host implies all guests to be compromised as well.  You
cannot (currently) protect from this.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to