|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] tools: Restrict configuration of qemu processes
On 05/09/2016 10:35 AM, Ian Jackson wrote:
> Ian Jackson writes ("Re: [Xen-devel] [PATCH] tools: Restrict configuration of
> qemu processes"):
>> Jim Fehlig writes ("[Xen-devel] [PATCH] tools: Restrict configuration of
>> qemu processes"):
>>> Commit 6ef823fd added '-nodefaults' to the qemu args created by
>>> libxl, which is a good step in restricting qemu's default
>>> configuration. This change takes another step by adding
>>> -no-user-config, which ignores any user-provided config files in
>>> sysconfdir. Together, -nodefaults and -no-user-config allow Xen
>>> to avoid unkown and uncontrolled qemu configuration.
>>>
>>> Both options are also added to the qemu invocation in the
>>> xen-qemu-dom0-disk-backend systemd service file.
>> Queued, thanks. Also listed for backport.
> I found this on my backport todo list. Thinking about it, I have had
> second thoughts.
>
> I worry that existing users of stable branches might be relying on the
> user config feature (for example by dropping qemu configuration in
> ~root). If they are, then applying this would break things for them.
>
> It's not a security problem because in xen the configuration in
> question would have to come from ~root.
Good point.
> So I think, probably, that we should leave this be (ie, not backport
> the patch). Does anyone want to try to change my mind ?
I never asked for a backport, so have no incentive to change your mind. Plus, I
agree with your comment.
Regards,
Jim
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |