[Openstack-operators] Venom vulnerability

Favyen Bastani fbastani at perennate.com
Thu May 14 21:38:56 UTC 2015


On 05/14/2015 05:23 PM, Sławek Kapłoński wrote:
> Hello,
> 
> So if I understand You correct, it is not so dangeorus if I'm using
> ibvirt with apparmor and this libvirt is adding apparmor rules for
> every qemu process, yes?
> 
> 

You should certainly verify that apparmor rules are enabled for the qemu
processes.

Apparmor reduces the danger of the vulnerability. However, if you are
assuming that virtual machines are untrusted, then you should also
assume that an attacker can execute whatever operations permitted by the
apparmor rules (mostly built based on abstraction usually at
/etc/apparmor.d/libvirt-qemu); so you should check that you have
reasonable limits on those permissions. Best is to restart the processes
by way of live migration or otherwise.

Best,
Favyen



More information about the OpenStack-operators mailing list