Hello,
I`ve found that the currently end-user may not migrate a VM between
nodes with different security_require_confined, what are reasons to
forbid such a thing? The security measures are almost not applicable
here - if the guest was able to poison the emulator` stack on an
unsecured node, he may do the same on a secured one, though the
potential consequences will be far more limited. Are there any
real-world cases whose prohibition may be helpful in a terms of
security measurements for migration I am currently missing? I think it
would be safe to exclude total poisoning of a source node in which
case libvirtd itself is owned and can try to send a malicious
configuration (with changed backing files locations for example).
Thanks!
Show replies by date