@@ -87,6 +87,7 @@ struct GAConfig {
GList *blockedrpcs;
GList *allowedrpcs;
bool only_confidential;
+ bool no_unrestricted;
int daemonize;
GLogLevelFlags log_level;
int dumpconf;
@@ -425,6 +426,16 @@ static bool ga_command_is_allowed(const QmpCommand *cmd, GAState *state)
allowed = false;
}
+ /*
+ * If unrestricted commands are not allowed that sets
+ * a new default, but an explicit allow/block list can
+ * override
+ */
+ if (config->no_unrestricted &&
+ qmp_command_has_feature(cmd, QAPI_FEATURE_UNRESTRICTED)) {
+ allowed = false;
+ }
+
if (config->allowedrpcs) {
/*
* If an allow-list is given, this changes the fallback
@@ -1208,6 +1219,7 @@ static void config_parse(GAConfig *config, int argc, char **argv)
{ "statedir", 1, NULL, 't' },
{ "retry-path", 0, NULL, 'r' },
{ "confidential", 0, NULL, 'i' },
+ { "no-unrestricted", 0, NULL, 'u' },
{ NULL, 0, NULL, 0 }
};
@@ -1307,6 +1319,9 @@ static void config_parse(GAConfig *config, int argc, char **argv)
case 'i':
config->only_confidential = true;
break;
+ case 'u':
+ config->no_unrestricted = true;
+ break;
case 'h':
usage(argv[0]);
exit(EXIT_SUCCESS);
@@ -42,7 +42,10 @@
'fs-frozen',
# Commands which do not violate privacy
# of a confidential guest
- 'confidential'
+ 'confidential',
+ # Commands which allow unrestricted access to or
+ # modification of guest files or execute arbitrary commands
+ 'unrestricted'
] } }
##
Historically there has been no default policy on command usage in the QEMU guest agent. A wide variety of commands have been added for various purposes * Co-ordinating host mgmt tasks (FS freezing, CPU hotplug, memory block hotplug) * Guest information querying (CPU stats, mount info, etc) * Arbitrary file read/write and command execution * User account auth setup (passwords, SSH keys) All of these have valid use cases, but they come with very different levels of risk to the guest OS. The commands supporting arbitrary file access / command exec though are giving the guest agent client effectively unrestricted access to do anything at all in the guest OS. The guest agent client is the host OS, so in effect running the QEMU guest agent gives the host admin a trivial direct backdoor into the guest OS, with no authentication, authorization or auditing of what they do. In the absense of confidential computing, the host admin already has to be considered largely trustworthy, as they will typically have direct access to any guest RAM regardless. None the less, to limit their exposure, guest OS admins may choose to limit these commands by passing '--no-unrestricted' / '-u' to QGA The --allowedrpcs / --blockedrpcs arguments take precedence over the --unrestricted arg (whether present or not), thus allowing fine tuning the defaults further. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- qga/main.c | 15 +++++++++++++++ qga/qapi-schema.json | 5 ++++- 2 files changed, 19 insertions(+), 1 deletion(-)