[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH v2] virt-aa-helper: disallow graphics socket read permissions

On Tue, Sep 01, 2020 at 12:11:11PM +0200, Christian Ehrhardt wrote:
> On Thu, May 28, 2020 at 12:45 PM Simon Arlott <libvirt octiron net> wrote:
> >
> > The VM does not need read permission for its own sockets to create,
> > bind(), listen(), accept() connections or to recv(), send(), etc. on
> > those connections.
> >
> > This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
> > (virt-aa-helper: disallow VNC socket read permissions),
> > but then b6465e1aa49397367a9cd0f27110b9c2280a7385
> > (graphics: introduce new listen type 'socket')
> > and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
> > (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it.
> >
> > Unless the read permission is omitted, VMs can connect to each other's
> > VNC/graphics sockets.


> And as I said the concern of "VMs can connect to each other" would
> only be true if the admin specifies the same path in each of them
> intentionally.

Protecting against administrator mis-configurations is NOT a goal
of the security drivers. We're only aiming to protect against a
compromised QEMU in whatever configuration the admin requested.

|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]