Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2

[Ian Jackson]

Anthony Liguori writes ("Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2"):
> No need for a switch IMHO.  If a user is doing pass through, they ought 
> to expect that the guest has direct access to the device.

The firmware of an IDE device can usually take over complete the
control of the host, if it chooses to and knows how.  So upgrading the
firmware on the device is a lot more serious than just being able to
break the device.  It would allow the guest to escape containment.

So this definitely needs to be disabled by default.

Anthony Liguori writes ("Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2"):
> One should never rely on QEMU to enforce any security policy.  That's 
> the job of the OS.

I disagree entirely.  The qemu process inevitably has access to an
enormous amount of stuff that the guest shouldn't have, and in most
cases users don't even run it as a different user.

Or are you suggesting qemu should always be run in a chroot ?  Or a VM
perhaps ?  qemu only safe run under Xen PV ?  I don't think the KVM
guys are really going to like that as a security policy ...

> I'm sure something like SELinux can be used to prevent a root QEMU 
> process from doing a firmware upgrade.

*boggle*  You're not serious, are you ?

Ian.