On Thu, Mar 22, 2012 at 09:36:30AM +0530, Onkar N Mahajan wrote:
Libvirt doesn't care about security during hot add disk images.
It even
accepts addition of disk images of other guest running on the host.
Steps followed to create this scenario :
Now, try to add vm1's disk image into vm2 - this must not be
allowed -
since for virtualized guest images. Only svirt_t processes with the
same MCS fields can read/write these images. i.e., for vm2 to access
vm1's disk image it's MCS label must be 's0:c660,c689'.
Hot addition of vm1's image i.e., /var/lib/libvirt/images/vm1.img is
successful ( which must not be allowed )
sVirt does not try to stop any host administrator actions. Its goal
is isolate guests from each other. There is nothing wrong with the
scenario you descibe from sVirt's POV. Only one guest is able to
access the disk at a time - the first VM looses access when you
give the disk to the second VM, so there is no security flaw here.
Responsibility for stopping administrator actions like this lies
with the disk locking framework. If you enable the sanlock driver
in libvirt, you would have been prevented from adding the disk
to the second guest, while the host is running
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|