From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58846) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bonsT-0002VF-PF for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:36:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bonsP-0000le-8X for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:36:36 -0400 Received: from mx1.redhat.com ([209.132.183.28]:51616) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bonsP-0000lO-1S for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:36:33 -0400 Date: Tue, 27 Sep 2016 09:36:26 +0100 From: "Daniel P. Berrange" Message-ID: <20160927083626.GC3967@redhat.com> Reply-To: "Daniel P. Berrange" References: <20160927030621.20862-1-rafael.tinoco@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20160927030621.20862-1-rafael.tinoco@canonical.com> Subject: Re: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Rafael David Tinoco Cc: qemu-devel@nongnu.org, 1626972@bugs.launchpad.net, marcandre.lureau@redhat.com, mst@redhat.com On Tue, Sep 27, 2016 at 03:06:21AM +0000, Rafael David Tinoco wrote: > Commit: 35f9b6ef3acc9d0546c395a566b04e63ca84e302 added a fallback > mechanism for systems not supporting memfd_create syscall (started > being supported since 3.17). This is really dubious code in general and IMHO should just be reverted. We have a golden rule that any time QEMU needs to be able to create a file on disk, then the path should be explicitly provided as a command line argument so that mgmt apps can control the location used. > Backporting memfd_create might not be accepted for distros relying > on older kernels. Nowadays there is no way for security driver > to discover memfd filename to be created: /memfd-XXXXXX. > > It is more appropriate to include UUID and/or VM names in the > temporary filename, allowing security driver rules to be applied > while maintaining the required unpredictability with mkstemp. We should not have QEMU creating unpredictabile filenames in the first place - any filenames should be determined by libvirt explicitly. > This change will allow libvirt to know exact memfd file to be created > for vhost log AND to create appropriate security rules to allow access > per instance (instead of a opened rule like /memfd-*). Even with this change it is bad - we don't want driver backends creating arbitrary files in the shared /tmp directory. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|