Re: [libvirt] [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags

On Tue, Jul 16, 2013 at 09:46:49AM -0600, Eric Blake wrote:
> On 07/16/2013 08:37 AM, Peter Krempa wrote:
> > Don't allow guest agent interaction by read-only connections as the
> > agent may be mailicious.
> s/mailicious/malicious/
> > ---
> >  src/libvirt.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> Do we have any other commands that a read-only connection can use to
> interact with a guest agent?  A quick check shows that many other
> commands with an AGENT flag already require read-only connections at all
> times (such as virDomainReboot, virDomainSendProcessSignal,
> virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least
> virDomainGetHostname is permitted on a read-only connection with an
> allowance for guest agent interaction.
> Also, I'm wondering if we also need any work in the ACL framework for
> controlling whether a command is permitted to require guest interaction.
>  For example, does it make sense to have an ACL that says a guest
> shutdown via ACPI is permitted (it does not matter if the guest
> responds), but a guest shutdown via the agent should be prevented
> (because interacting with the agent of a malicious guest is too risky)?
> At any rate, I think we need a v2 that covers all possible agent
> interaction commands, if we are going to go with this approach (but the
> idea does make sense to me).

Yes, the ACL code is intended to obsolete the read-only flag. So anything
that can be expressed with the read-only flag, must also be doable using
the ACLs.

We don't want to end up with one ACL permission for every guest agent
command though. I think it would be sufficient to just use the generic
domani 'write' permission bit to enforce this.

