[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC] host and guest kernel trace merging
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [Qemu-devel] [RFC] host and guest kernel trace merging |
|
Date: |
Mon, 7 Mar 2016 15:17:05 +0000 |
|
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Fri, Mar 04, 2016 at 08:23:11AM -0500, Steven Rostedt wrote:
> The problem I have with the guest server, and something that we may be
> able to fix later on, but should always keep it in the back of our
> minds, is the security issue. For this to work, the guest server needs
> to run as root. It will have an open socket (network or to host), that
> will enable tracing on the guest. There needs to be some sort of
> verification on that connection to prevent anyone from connecting to it.
>
> In the protocol for the connection between guest and host, I'll
> currently add a "security" feature, that will allow the guest to tell
> whomever is connecting to it, what type of security feature it wants.
> For now it will be TRACE_CMD_NO_SECURITY. But that will have to change
> in the future.
qemu-guest-agent runs inside the guest and replies to RPC commands from
the host. It is used for backups, shutdown, network configuration, etc.
From time to time people have wanted the ability to execute an arbitrary
command inside the guest and return the output. This functionality has
never been merged, probably for the security reason.
A tracing server that runs inside the guest is comparable to
qemu-guest-agent. As long as the tracing server requires manual
commands to start it and does not run by default, then I think the
security issue can be kept at bay. It's a powerful tool that requires
explicit guest administrator action to enable.
Stefan
signature.asc
Description: PGP signature
Re: [Qemu-devel] [RFC] host and guest kernel trace merging, Peter Xu, 2016/03/24