Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line

From:	Michael Roth
Subject:	Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option
Date:	Wed, 07 Dec 2011 10:45:12 -0600
User-agent:	Mozilla/5.0 (X11; Linux i686 on x86_64; rv:8.0) Gecko/20111105 Thunderbird/8.0

On 12/07/2011 06:12 AM, Dor Laor wrote:

On 12/07/2011 12:52 PM, Daniel P. Berrange wrote:

On Wed, Dec 07, 2011 at 12:34:01PM +0200, Dor Laor wrote:

On 12/07/2011 06:03 AM, Michael Roth wrote:

This adds a command-line option, -b/--blacklist, that accepts a
comma-seperated list of RPCs to disable, or prints a list of
available RPCs if passed "?".

In consequence this also adds general blacklisting and RPC listing
facilities to the new QMP dispatch/registry facilities, should the
QMP monitor ever have a need for such a thing.


Beyond run time disablement, how easy it is to compile out some of
the general commands such as exec/file-handling?

Security certifications like common criteria usually ask to compile
out anything that might tamper security.


I don't think that's really relevant/needed. As discussed on the
call yesterday, this is security theatre, because nothing can prevent
the host admin from accessing guest RAM or disk data. AFAIK the
virtualization related security certifications acknowledge this
already& don't make any claims about security of guests against
a malicious host admin. In any case, a suitable SELinux policy for
the guest agent could prevent arbitrary file/binary access via
generic 'exec' / 'file-read' commands, in a manner that is sufficient
to satisfy security certications.


I absolutely agree that the hypervisor can tweak the guest in multiple
ways. Nevertheless there are two reasons I asked it:

1. Reduce code and noise from security reviewers eyes.
We were asked to do exactly that for other qemu functionality that
is included but does not run at all. It's just makes the review
faster.


Actually removing the code, or compiling it out?

If it's a matter of compiling it out, the best solution I can think ofis having the QAPI code generators create a #define <rpc> for each RPC,then wrapping the implementations inside an #ifdef <rpc>. That way youcould compile out the code by simply modifying the schema.

That said, I'd really like to avoid having distros get into the habit ofextensively modifying their guest agent source outside of bug fixes andwhatnot, I think it'll cause too many problems down the road. From amanagement perspective, if you're running a cloud with multiple distros,it'll be really difficult to account for agents that have been modifiedor crippled in various ways.

Perhaps we only need, say, shutdown, for ovirt, and compile out therest, but maybe a customer wants to run their RHEL guest in home-brewedenvironment where they use qemu-ga file read/write to handle a specificset of guest activation procedures. Now they need a new agent package.

It's a whole lot of hassle for host/guest admins for the sake of savinga security reviewer a bit of investigating that'll lead right back tothe general operating premise that you have to trust your hostadministrators before any chain of trust can be established.

At least with this interface we can provide some semblance of relief tousers with specific security concerns, but don't have to work withdistros to re-package agents when those concerns collide withrequirements on the host side. We can just check to see if they disabledthe functionality and request they re-enable due to <reason> by updatingtheir configs.


2. Every piece of code is a risk for exploit
Imagine that a bug/leak/use-after-free in the blacklist command or
the exec command on qemu exists and allows attacked to gain control
of qemu.

A host can never assume that a guest [agent] can be trusted. qemu-gamight've been replaced completely by a malicious guest admin, thuscircumventing any steps a distro has taken to harden it. Fortunately aguest can only affect memory outside it's address space by going throughthe virtio-serial/QMP layer. So we can focus our efforts on hardeningthe transport and json parser layers, and a lot of work has gone intothat already (placing limits on token size, recursion depth, etc). Sothat's more an issue that needs to be addressed on the qemu side, and isindependent of any particular RPC implementation on the guest side.


Regards,
Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Michael Roth, 2011/12/06
- [Qemu-devel] [PATCH 2/2] guest agent: add supported command list to guest-info RPC, Michael Roth, 2011/12/06
- Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Dor Laor, 2011/12/07
  - Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Daniel P. Berrange, 2011/12/07
    - Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Dor Laor, 2011/12/07
    - Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Michael Roth <=
    - Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Dor Laor, 2011/12/08
    - Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Michael Roth, 2011/12/08
- Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option, Anthony Liguori, 2011/12/12

Prev by Date: [Qemu-devel] [PATCH] build: Cleanup qga make output
Next by Date: Re: [Qemu-devel] [PATCH v2 0/5] backdoor: lightweight guest-to-QEMU backdoor channel
Previous by thread: Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option
Next by thread: Re: [Qemu-devel] [PATCH 1/2] guest agent: add RPC blacklist command-line option
Index(es):
- Date
- Thread