[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] tools: Restrict configuration of qemu processes

On 05/09/2016 10:35 AM, Ian Jackson wrote:
> Ian Jackson writes ("Re: [Xen-devel] [PATCH] tools: Restrict configuration of 
> qemu processes"):
>> Jim Fehlig writes ("[Xen-devel] [PATCH] tools: Restrict configuration of 
>> qemu processes"):
>>> Commit 6ef823fd added '-nodefaults' to the qemu args created by
>>> libxl, which is a good step in restricting qemu's default
>>> configuration. This change takes another step by adding
>>> -no-user-config, which ignores any user-provided config files in
>>> sysconfdir. Together, -nodefaults and -no-user-config allow Xen
>>> to avoid unkown and uncontrolled qemu configuration.
>>> Both options are also added to the qemu invocation in the
>>> xen-qemu-dom0-disk-backend systemd service file.
>> Queued, thanks.  Also listed for backport.
> I found this on my backport todo list.  Thinking about it, I have had
> second thoughts.
> I worry that existing users of stable branches might be relying on the
> user config feature (for example by dropping qemu configuration in
> ~root).  If they are, then applying this would break things for them.
> It's not a security problem because in xen the configuration in
> question would have to come from ~root.

Good point.

> So I think, probably, that we should leave this be (ie, not backport
> the patch).  Does anyone want to try to change my mind ?

I never asked for a backport, so have no incentive to change your mind. Plus, I
agree with your comment.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.