dm restrict audit: Document future plans

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

diff --git a/ts-depriv-audit-qemu b/ts-depriv-audit-qemu
index 2405b69625c9663878f4abfc096001c3181e47b0..81bd5c023b1717cfca7e60c5c732890087942958 100755 (executable)
--- a/ts-depriv-audit-qemu
+++ b/ts-depriv-audit-qemu
@@ -56,6 +56,9 @@ END
         /usr/local/lib/xen/bin/depriv-fd-checker
 END
     stashfilecontents($fish_output,"fish-info-paused.txt");
+
+    # Ideally we would check other process properties too:
+    # eg, check that qemu has chrooted; check its uid; etc.
 }
 
 sub packages () {
@@ -139,6 +142,19 @@ sub mode_ispaused () {
     audit_fish();
 }
 
+# In the future when migration works, we would like to audit the qemu
+# receiving the migration stream.  This auditing should be done just
+# before the qemu starts reading the stream, as the stream might be
+# hostile and might be able to take over the receiving qemu.
+# I intend the following approach:
+#    install wrapper script for qemu, which:
+#      looks for  -incoming fd:%d   (libxl_dm.c:1416)
+#       substitutes a pipe which will cause qemu to block
+#       waits a fixed time
+#      maybe checks that qemu is reading that fd somehow
+#      runs the audit and leaves the output somewhere we can find it
+#      arranges for the blocking pipe thing to use cat to unblock qemu
+
 compile_data_re();
 $modesubproc->();