Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked

From:	Daniel P. Berrange
Subject:	Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked
Date:	Wed, 14 Mar 2012 11:17:03 +0000
User-agent:	Mutt/1.5.21 (2010-09-15)

On Wed, Mar 14, 2012 at 07:06:50PM +0800, Wen Congyang wrote:
> At 03/14/2012 06:59 PM, Daniel P. Berrange Wrote:
> > On Wed, Mar 14, 2012 at 06:58:47PM +0800, Wen Congyang wrote:
> >> At 03/14/2012 06:52 PM, Avi Kivity Wrote:
> >>> On 03/14/2012 12:52 PM, Wen Congyang wrote:
> >>>>>
> >>>>>> If so, is this channel visible to guest userspace? If the channle is 
> >>>>>> visible to guest
> >>>>>> userspace, the program running in userspace may write the same message 
> >>>>>> to the channel.
> >>>>>
> >>>>> Access control is via permissions.  You can have udev scripts assign
> >>>>> whatever uid and gid to the port of your interest.  By default, all
> >>>>> ports are only accessible to the root user.
> >>>>
> >>>> We should also prevent root user writing message to this channel if it is
> >>>> used for panicked notification.
> >>>>
> >>>
> >>> Why?  root can easily cause a panic.
> >>>
> >>
> >> root user can write the same message to virtio-serial while the guest is 
> >> running...
> > 
> > Unless you are running a MAC policy which strictly confines the root
> > account, root can cause a kernel panic regardless of virtio-serial
> > permissions in the guest:
> > 
> >   echo c > /proc/sysrq-trigger
> 
> Yes, root user can cause a kernel panic. But if he writes the same message to 
> virtio-serial,
> the host will see the guest is panicked while the guest is not panicked. The 
> host is cheated.

The host mgmt layer must *ALWAYS* expect that any information originating
from the guest is bogus. It must never trust the guest info. So regardless
of the implementation, you have to expect that the guest might have lied
to you about it being crashed. The same is true even of Xen's panic notifier.

So if an application is automatically triggering core dumps based on this
panic notification, it needs to be aware that the guest can lie and take
steps to avoid the guest causing a DOS attack on the host. Most likely
by rate limiting the frequency of core dumps per guest, and/or setting a
max core dump storage quota per guest.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked, (continued)

Prev by Date: Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked
Next by Date: Re: [Qemu-devel] [PATCH v4 11/11] audio/rfc: remove PLIVE and PERIOD options
Previous by thread: Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked
Next by thread: Re: [Qemu-devel] [PATCH 0/2 v3] kvm: notify host when guest panicked
Index(es):
- Date
- Thread