Hi,
On 08/21/2012 11:23 AM, Daniel P. Berrange wrote:
<Snip>
> We want the admin of the vm to be able to set policy as to which
devices
> can be redirected to the vm, for example for security reasons. Clearly the
> right place to enforce such a policy is the host and not the client, esp.
> since the client may be outside of the control of the vm admin.
What kind of threat are you expecting this to protect against ? I don't
really see that black/white-listing on vendor/product ID is going to
provide a very credible level of security protection. Chances are that
if there is a flaw in the guest OS or QEMU, the attacker could simply
spoof the required product/vendor ID and then send specially crafted
USB packets to exploit the flaw anyway.
One example would be the vm to contain sensitive information and the admin
not wanting users to be able to redirect USB-mass-storage devices to it,
while still allowing the use of other USB peripherals. Note that the filtering
is not just by ID, it also is by class.
TBH I'm amazed we are having this discussion, everyone I've talked to before
agrees that allowing a vm admin to limit which kind of USB devices can be
redirected is a reasonable, desirable even thing to have, and agrees the
proper place for this, as a per vm setting, is on the host.
Also note that the proprietary Spice usb-redir solution which the new FOSS
usb-redir code is replacing has this ability too, and currently you can
configure a filter from RHEV-M, so from the host / vm management software.
Regards,
Hans