Re: [libvirt] [PATCH] api: require write permission for guest agent interaction

2014-01-22 Thread Eric Blake
On 01/22/2014 03:52 AM, Daniel P. Berrange wrote: > On Tue, Jan 21, 2014 at 10:47:07AM -0700, Eric Blake wrote: >> I noticed that we allow virDomainGetVcpusFlags even for read-only >> connections, but that with a flag, it can require guest agent >> interaction. It is feasible that a malicious gues

Re: [libvirt] [PATCH] api: require write permission for guest agent interaction

2014-01-22 Thread Daniel P. Berrange
On Tue, Jan 21, 2014 at 10:47:07AM -0700, Eric Blake wrote: > I noticed that we allow virDomainGetVcpusFlags even for read-only > connections, but that with a flag, it can require guest agent > interaction. It is feasible that a malicious guest could > intentionally abuse the replies it sends over

[libvirt] [PATCH] api: require write permission for guest agent interaction

2014-01-21 Thread Eric Blake
I noticed that we allow virDomainGetVcpusFlags even for read-only connections, but that with a flag, it can require guest agent interaction. It is feasible that a malicious guest could intentionally abuse the replies it sends over the guest agent connection to possibly trigger a bug in libvirt's J