On Thu, Nov 10, 2011 at 01:48:53PM +0000, Mark McLoughlin wrote:
Thanks for all that Rich. My takeaways are:
1) The current file injection and disk resizing code in OpenStack
doesn't provide sufficient protection against the possibility of
users exploiting vulnerabilities in the kernel or core OS userspace
utilities.
However, there's no known vulnerability here that needs an urgent
response (e.g. filing a CVE) - i.e. it's not like the issue with
using qemu's disk format auto-detection.
2) Restricting the set of guest filesystems we support would
eliminate one of the most likely sources of potential
vulnerabilities.
3) Using libguestfs (and later, using it over libvirt/svirt) would
provide much greater protection along with the potential to
support things like LVM inside guest images.
Agreed.
I looked at their use of qemu / format detection, and it appears safe:
I tried to upload an image with backing file = /etc/passwd. You can
upload such an image to glance. But when you try to attach it to a
guest, any use of backing files is rejected by a correct test in
nova/virt/images.py.
I also looked at whether they pass the correct format field through to
libvirt (and thus to qemu), and they do.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v