lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100322140711.GC14201@elte.hu>
Date:	Mon, 22 Mar 2010 15:07:11 +0100
From:	Ingo Molnar <mingo@...e.hu>
To:	"Richard W.M. Jones" <rjones@...hat.com>
Cc:	"Daniel P. Berrange" <berrange@...hat.com>,
	Pekka Enberg <penberg@...helsinki.fi>,
	Avi Kivity <avi@...hat.com>,
	Antoine Martin <antoine@...afix.co.uk>,
	Olivier Galibert <galibert@...ox.com>,
	Anthony Liguori <anthony@...emonkey.ws>,
	"Zhang, Yanmin" <yanmin_zhang@...ux.intel.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Sheng Yang <sheng@...ux.intel.com>,
	linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
	Marcelo Tosatti <mtosatti@...hat.com>,
	oerg Roedel <joro@...tes.org>,
	Jes Sorensen <Jes.Sorensen@...hat.com>,
	Gleb Natapov <gleb@...hat.com>,
	Zachary Amsden <zamsden@...hat.com>, ziteng.huang@...el.com,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	Fr?d?ric Weisbecker <fweisbec@...il.com>, libguestfs@...hat.com
Subject: Re: [RFC] Unify KVM kernel-space and user-space code into a single
 project


* Richard W.M. Jones <rjones@...hat.com> wrote:

> On Mon, Mar 22, 2010 at 02:56:47PM +0100, Ingo Molnar wrote:
> > Just curious: any plans to extend this to include live read/write access as 
> > well?
> >
> > I.e. to have the 'agent' (guestfsd) running universally, so that
> > tools such as perf and by users could rely on the VFS integration as
> > well, not just disaster recovery tools?
> 
> Totally.  That's not to say there is a definite plan, but we're very open to 
> doing this.  We already wrote the daemon in such a way that it doesn't 
> require the appliance part, but could run inside any existing guest (we've 
> even ported bits of it to Windoze ...).
> 
> The only remaining issue is how access control would be handled.  You 
> obviously wouldn't want anything in the host that can get access to the 
> vmchannel socket to start sending destructive write commands into guests.

By default i'd suggest to put it into a maximally restricted mount point. I.e. 
restrict access to only the security context running libguestfs or so.

( Which in practice will be the user starting the guest, so there will be 
  proper protection from other users while still allowing easy access to the 
  user that has access already. )

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ