Quoting Jamie Strandboge (ja...@ubuntu.com): > I understand why you are doing this, but this means that a malicious > guest is now able to create, for example, a block device with only DAC > protecting the host. Since qemu on Ubuntu runs as non-root, this isn't > completely horrible, but since apparmor doesn't have fine-grained > mediation of mknod, it would be better if the guest agent were modified > to use a socket (perhaps abstract?) so the mknod was not required.
Agreed that would be better. Do you want to open a bug against the QEMU project and qemu package to that effect? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1393842 Title: libvirt does not grant qemu-guest-agent channel perms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs