On 05/14/2015 05:23 PM, Sławek Kapłoński wrote: > Hello, > > So if I understand You correct, it is not so dangeorus if I'm using > ibvirt with apparmor and this libvirt is adding apparmor rules for > every qemu process, yes? > >
You should certainly verify that apparmor rules are enabled for the qemu processes. Apparmor reduces the danger of the vulnerability. However, if you are assuming that virtual machines are untrusted, then you should also assume that an attacker can execute whatever operations permitted by the apparmor rules (mostly built based on abstraction usually at /etc/apparmor.d/libvirt-qemu); so you should check that you have reasonable limits on those permissions. Best is to restart the processes by way of live migration or otherwise. Best, Favyen _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
