From: Fam Zheng <famz@redhat.com>
To: Andy Grover <agrover@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Pranith Kumar Karampuri <pkarampu@redhat.com>,
Vijay Bellur <vbellur@redhat.com>, Huamin Chen <hchen@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
Date: Fri, 21 Oct 2016 08:11:47 +0800 [thread overview]
Message-ID: <20161021001147.GB27213@lemon> (raw)
In-Reply-To: <16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com>
On Thu, 10/20 10:21, Andy Grover wrote:
> On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > root or kernel privileges?
> >
> > I haven't audited the code, but target_core_user.ko should contain the access to
> > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > wrong.
>
> Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> outside the shared memory area.
Thanks!
>
> UIO devices are basically a "device drivers in userspace" kind of API so
> they require root to use. I seem to remember somebody mentioning ways this
> might work for less-privileged handlers (fd-passing??) but no way to do this
> exists just yet.
In my example in the cover letter I use chmod + non-root which seems to be
working properly. So I think fd-passing is a promising mechanism.
Fam
>
> Regards -- Andy
>
next prev parent reply other threads:[~2016-10-21 0:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 10:08 [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu Fam Zheng
2016-10-19 10:38 ` no-reply
2016-10-20 14:08 ` Stefan Hajnoczi
2016-10-20 14:30 ` Fam Zheng
2016-10-20 17:21 ` Andy Grover
2016-10-21 0:11 ` Fam Zheng [this message]
2016-10-21 9:54 ` Stefan Hajnoczi
2016-10-21 10:33 ` Fam Zheng
[not found] ` <CAD-gW=mZ6ByJAfzvAQs2c=N8MLEbG48UsaqhZiUJhEvWPDF3Lw@mail.gmail.com>
2016-10-21 0:09 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021001147.GB27213@lemon \
--to=famz@redhat.com \
--cc=agrover@redhat.com \
--cc=hchen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pkarampu@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.