[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 0/2] qemu: add new disk type='lun' for bus='virtio'



On Thu, Dec 22, 2011 at 01:39:30PM -0500, Laine Stump wrote:
> 
> These two patches are in response to CVE-2011-4127:
> 
>   http://seclists.org/oss-sec/2011/q4/536
> 
> Once the kernel security fix and corresponding qemu mitigation patch
> are in place, access to SG_IO commands from qemu guests will be
> disabled by default. This patch series provides a way to explicitly
> enable such support when it is required.
> 
> In a discussion just before sending this patch series, Paolo Bonzini
> wondered if rather than the xml syntax being what's proposed
> here:
> 
>   <disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off -->
>   <disk type='lun'   device='disk' dev='/dev/sda'> <!-- SG_IO on -->
> 
> maybe it should instead be:
> 
>   <disk type='block' device='disk' dev='/dev/sda'> <!-- SG_IO off -->
>   <disk type='block' device='lun'  dev='/dev/sda'> <!-- SG_IO on -->
> 
> I guess it partly depends on whether we would ever want to turn on
> SG_IO for a disk with device='cdrom|floppy' vs. if we would ever want
> to turn it on for type='file|dir|network'.
> 
> Opinions?

The 'type' attribute refers to how the host emulator deals with the
disk.

The 'device' attribute refers to what type of device hardware is exposed
to the guest.

What we're doing here is controlling whether the host emulator allows
SG_IO. The guest visible device hardware has not changed at all. Thus
using the 'type' attribute is the correct approach.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]