lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Aug 2011 12:33:14 +0300
From:	Avi Kivity <avi@...hat.com>
To:	Pekka Enberg <penberg@...nel.org>
CC:	Christoph Hellwig <hch@...radead.org>,
	Sasha Levin <levinsasha928@...il.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Ingo Molnar <mingo@...e.hu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-next@...r.kernel.org
Subject: Re: linux next: Native Linux KVM tool inclusion request

On 08/24/2011 12:19 PM, Pekka Enberg wrote:
> On 8/24/11 11:31 AM, Avi Kivity wrote:
>> On 08/23/2011 08:08 AM, Pekka Enberg wrote:
>>> As for changes, we've implemented rootfs over 9p with "kvm run"
>>> booting to host filesystem "/bin/sh" by default.
>>
>> Isn't this dangerous?  Users expect virtualization to land them in 
>> sandbox, but here an rm -rf / in the guest will happily junk the host 
>> filesystem.
>
> Not really because I never run the tool as root. However, you're right 
> that
> we should not default to /bin/sh if you're root.

Well, just trashing /home/penberg would be bad too, no? (my recent 
experience indicates it's not that catastrophic - anything important 
sits on a server somewhere and the local data is just a cache).

>>
>> Still dangerous (but just to the guest), since it's not a true 
>> snapshot.  If the host filesystem changes underneath the guest, it 
>> will see partial and incoherent updates.  Copy-on-write only works if 
>> the host filesystem doesn't change.
>
> That's a generic problem with overlayfs based solutions, isn't it? 
> We're planning
> to use copy-on-write only on files that aren't supposed to change that 
> often -
> like /usr and /lib.

So the guest won't see bad data that often?

Overlay works fine if the host tree is readonly.  So if you have a 
separate tree for guests, you can share it with any number of them.  
Just don't share the host root.

Note this probably isn't a problem booting to /bin/bash, just booting a 
full-featured guest with package management and other database-like apps 
that expect exclusive control over their data.

> I suppose we should force shared files to be read-only in
> the guest.
>

Yes, that's safer.


-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ