[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH RFC v3 17/27] COLO: Add new command parameter 'c

From: Daniel P. Berrange
Subject: Re: [Qemu-devel] [PATCH RFC v3 17/27] COLO: Add new command parameter 'colo_nicname' 'colo_script' for net
Date: Tue, 24 Feb 2015 17:24:10 +0000
User-agent: Mutt/1.5.23 (2014-03-12)

On Tue, Feb 24, 2015 at 09:30:56AM -0700, Eric Blake wrote:
> On 02/24/2015 02:50 AM, Wen Congyang wrote:
> >> Script files are in general very hard to secure.  Libvirt marks any
> >> domain that uses a script file for controlling networking as tainted,
> >> because it cannot guarantee that the script did not do arbitrary
> >> actions.  Can you come up with any better solution that does not require
> >> a script file, such as having management software responsible for
> >> passing in an already-opened fd?
> > 
> > Do you mean that opening the script in libvirt?
> > 
> No, I mean a solution that needs no script file at all.  Have libvirt
> pre-open the TAP device you will need, then pass in the fd that will be
> used for the colo NIC.

Agreed, we really must not add new features that require executing
arbitrary blackbox shell scripts to QEMU, when we know that reslts in
a flawed security model. And just pushing the script execution upto
libvirt is not really a satisfactory solution either.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

reply via email to

[Prev in Thread] Current Thread [Next in Thread]