Security
The charm installs the libvirt exporter via the snap from the Snap Store. This snap is strictly confined, so it only has the required permissions to access libvirtd and run a web server. It’s possible for the user to attach a snap file as a resource, which will be installed instead of prometheus-libvirt-exporter from the Snap Store. This local snap resource will be installed in dangerous mode, not verifying file signatures, so it’s recommended to take care to ensure the correct file is attached as a resource.
The charm also accepts a resource (dashboards), which is expected to be a zip file containing grafana dashboards. All top level *.json files from the zip file are sent to grafana. Care should be taken to ensure these files are well formed too. These are unlikely to cause security issues, but could cause instability with the charm or Grafana if malformed.
The charm does not directly perform any cryptographic functions.
Risks
The upstream project (libvirt-exporter) that this charm ships is unmaintained. The upstream project is however packaged in a strictly confined, maintained snap (prometheus-libvirt-exporter snap).
Information security
The exporter exposes metadata about VMs that may contain sensitive information, such as VM names and project names.