Dan Kenigsberg has posted comments on this change. Change subject: vm payload: add file injection to vm ......................................................................
Patch Set 17: (3 inline comments) I believe that the payload image must be put somewhere like /var/tmp/vdsm/images/sha1.iso where sha1 is calculated on the payload content. Sorry for not having thought of this before, but this is quite serious - for security and for migration. .................................................... File vdsm/clientIF.py Line 210: volPath = supervdsm.getProxy().mkIsoFs(files) come to think of this - the location of the iso image must not be random, or else the guest won't find it after migration. Idea: put the image in /var/tmp/vdsm/images/md5(files) .................................................... File vdsm/supervdsmServer.py Line 216: mkimage.mkFloppyFs(files) shouldn't you return mkimage.mkFloppyFs(files) instead? Line 223: def removeFs(self, path): that's not very safe, as it allows Vdsm to remove any system file whereever it wants to. We MUST add protection on the paths allowed to be removed. How about putting all images somewhere under /var/tmp/vdsm/images/ and letting vdsm remove files only there? -- To view, visit http://gerrit.ovirt.org/2321 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I256475342c79690a95ad999335522f99714cdc8b Gerrit-PatchSet: 17 Gerrit-Project: vdsm Gerrit-Branch: master Gerrit-Owner: Shahar Havivi <[email protected]> Gerrit-Reviewer: Dan Kenigsberg <[email protected]> Gerrit-Reviewer: Ewoud Kohl van Wijngaarden <[email protected]> Gerrit-Reviewer: Igor Lvovsky <[email protected]> Gerrit-Reviewer: Shahar Havivi <[email protected]> _______________________________________________ vdsm-patches mailing list [email protected] https://fedorahosted.org/mailman/listinfo/vdsm-patches
