[Openstack-operators] Venom vulnerability

Sławek Kapłoński slawek at kaplonski.pl
Thu May 14 21:45:33 UTC 2015


Hello,

Ok, thx for explanations :) Yep, I know that best is to restart qemu
process but this makes that I can now sleep littlebit more peacefully :)

-- 
Best regards / Pozdrawiam
Sławek Kapłoński
slawek at kaplonski.pl

On Thu, May 14, 2015 at 05:38:56PM -0400, Favyen Bastani wrote:
> On 05/14/2015 05:23 PM, Sławek Kapłoński wrote:
> > Hello,
> > 
> > So if I understand You correct, it is not so dangeorus if I'm using
> > ibvirt with apparmor and this libvirt is adding apparmor rules for
> > every qemu process, yes?
> > 
> > 
> 
> You should certainly verify that apparmor rules are enabled for the qemu
> processes.
> 
> Apparmor reduces the danger of the vulnerability. However, if you are
> assuming that virtual machines are untrusted, then you should also
> assume that an attacker can execute whatever operations permitted by the
> apparmor rules (mostly built based on abstraction usually at
> /etc/apparmor.d/libvirt-qemu); so you should check that you have
> reasonable limits on those permissions. Best is to restart the processes
> by way of live migration or otherwise.
> 
> Best,
> Favyen



More information about the OpenStack-operators mailing list