Xen project Mailing List

Re: [Xen-devel] [PATCH] tools: Restrict configuration of qemu processes

To: Jim Fehlig <jfehlig@xxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Mon, 9 May 2016 17:35:38 +0100

Delivery-date: Mon, 09 May 2016 16:35:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Ian Jackson writes ("Re: [Xen-devel] [PATCH] tools: Restrict configuration of qemu processes"): > Jim Fehlig writes ("[Xen-devel] [PATCH] tools: Restrict configuration of qemu > processes"): > > Commit 6ef823fd added '-nodefaults' to the qemu args created by > > libxl, which is a good step in restricting qemu's default > > configuration. This change takes another step by adding > > -no-user-config, which ignores any user-provided config files in > > sysconfdir. Together, -nodefaults and -no-user-config allow Xen > > to avoid unkown and uncontrolled qemu configuration. > > > > Both options are also added to the qemu invocation in the > > xen-qemu-dom0-disk-backend systemd service file. > > Queued, thanks. Also listed for backport. I found this on my backport todo list. Thinking about it, I have had second thoughts. I worry that existing users of stable branches might be relying on the user config feature (for example by dropping qemu configuration in ~root). If they are, then applying this would break things for them. It's not a security problem because in xen the configuration in question would have to come from ~root. So I think, probably, that we should leave this be (ie, not backport the patch). Does anyone want to try to change my mind ? Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.