Re: [libvirt] [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags

On 07/16/2013 08:37 AM, Peter Krempa wrote: > Don't allow guest agent interaction by read-only connections as the > agent may be mailicious. s/mailicious/malicious/ > --- > src/libvirt.c | 6 ++++++ > 1 file changed, 6 insertions(+) Do we have any other commands that a read-only connection can use to interact with a guest agent? A quick check shows that many other commands with an AGENT flag already require read-only connections at all times (such as virDomainReboot, virDomainSendProcessSignal, virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least virDomainGetHostname is permitted on a read-only connection with an allowance for guest agent interaction. Also, I'm wondering if we also need any work in the ACL framework for controlling whether a command is permitted to require guest interaction. For example, does it make sense to have an ACL that says a guest shutdown via ACPI is permitted (it does not matter if the guest responds), but a guest shutdown via the agent should be prevented (because interacting with the agent of a malicious guest is too risky)? At any rate, I think we need a v2 that covers all possible agent interaction commands, if we are going to go with this approach (but the idea does make sense to me).