On 01/05/2012 06:49 AM, KAMEZAWA Hiroyuki wrote:
Hmm, won't this force admins to rewrite their domain definitions
?
Some admin may need to reflesh 100s of domain defintions when he upgrade
distro...
How about
<disk type='block' device='disk' dev='/dev/sda'> <!--
SG_IO on -->
<disk type='block' device='sdisk' dev='/dev/sda'> <!--
SG_IO off -->
(sdisk = secure disk)
and make 'sdisk' as default ?
We believe that most sites are not passing entire disks, and thus cannot
anyway use SG_IO. That is because you need special precautions when
passing entire disks (for example to avoid that LVM scans them for
volume groups). If you're not passing an entire disk to the VM,
disabling SG_IO by default will protect you against CVE-2011-4127.
Even if you *are* passing an entire disk (for example an iSCSI share),
it's relatively rare that you need SG_IO access.
Making your proposed 'sdisk' the default does not help, because usually
the .xml files that libvirt stores include all attributes even when they
have a default value. See also the ideas I posted recently for extended
SCSI support to see why it is important to distinguish 'lun' on one side
from 'disk' and 'cdrom' on the other: in the SCSI case you can have a
passthrough disk, an emulated hard disk or an emulated CD-ROM.
Something like 'sdisk' would not extend easily to the SCSI case.
This is why we are explicitly requiring administrators to opt into the
SG_IO feature. We know that this can be a nuisance in some scenarios,
but those are the minority and it is better if everybody enjoys more
security by default.
Paolo