[Spice-devel] SPICE and guest breakout risk assessment

Alon Levy alevy at redhat.com
Wed Jan 1 07:15:17 PST 2014


On 12/30/2013 08:44 AM, adrelanos wrote:
> Hi,
> 
> I am currently working on testing out KVM as a platform for Whonix, a
> Debian based spin with anonymity enforcement via usage of virtual
> machines. All traffic from a workstation vm is forced through a Tor
> gateway on the second gateway vm. Safeguarding against high level
> attacks (0days and advanced persistent threats) is our top priority and
> so right now we are hammering out the details of what virtual hardware
> should be attached into the vms.
> 
> In your opinion is enabling SPICE and 2D acceleration via QXL+vdagent in
> the guest, a security risk to the host? Consider this question in a
> scenario where the host is a RedHat derivative that has SElinux and
> secomp enabled for QEMU. We want to find out whether this is a case of
> security vs convenience.

Enabling spice adds more code running on the host in the same context as
the qemu process (libspice-server is linked to qemu), so I'd say yes
(not sure what risk is acceptable, or what risk means exactly, but it is
a risk in the english sense :).

> 
> Thanks for you time.
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> 



More information about the Spice-devel mailing list