Comment 8 for bug 1664931
Revision history for this message
| George Shuklin (george-shuklin) wrote Re: nova rebuild ignores all image properties and scheduler filters | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
About severity of the issue: I've just imaged scenario where this would lead to compromise.
Let's says we got some PCI-passthrough installation which relies on image-level (operating system level) permissions to allow or disallow some operations with hardware. Tenants are allowed to use images with properly configured permissions system and they are forbidden to run random (untrusted/
By issuing 'rebuild' command with specially crafted image malicious tenant may compromise hardware by means of bypassing image-level security and Openstack's restriction on which images are allowed to run on the node with sensitive hardware.
I don't think that this is a common use case, but who knows whom Stuxnet would use this bug on whom nuclear factory.