From: Fam Zheng <famz@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Vijay Bellur <vbellur@redhat.com>,
Pranith Kumar Karampuri <pkarampu@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Andy Grover <agrover@redhat.com>, Huamin Chen <hchen@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
Date: Fri, 21 Oct 2016 18:33:35 +0800 [thread overview]
Message-ID: <20161021103335.GD27213@lemon> (raw)
In-Reply-To: <20161021095437.GC4648@stefanha-x1.localdomain>
On Fri, 10/21 10:54, Stefan Hajnoczi wrote:
> On Fri, Oct 21, 2016 at 08:11:47AM +0800, Fam Zheng wrote:
> > On Thu, 10/20 10:21, Andy Grover wrote:
> > > On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > > > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > > > root or kernel privileges?
> > > >
> > > > I haven't audited the code, but target_core_user.ko should contain the access to
> > > > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > > > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > > > wrong.
> > >
> > > Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> > > outside the shared memory area.
> >
> > Thanks!
> >
> > >
> > > UIO devices are basically a "device drivers in userspace" kind of API so
> > > they require root to use. I seem to remember somebody mentioning ways this
> > > might work for less-privileged handlers (fd-passing??) but no way to do this
> > > exists just yet.
> >
> > In my example in the cover letter I use chmod + non-root which seems to be
> > working properly. So I think fd-passing is a promising mechanism.
>
> Is there any way to use the in-kernel SCSI target without root?
>
> For example, if an unprivileged user wants to run an iSCSI target on an
> unprivileged port to serve up a regular file (test.img).
No, not possible even on an unprivileged port AFAICT. Accessing targetcli
requires root.
>
> If the answer is no then it's unlikely qemu-tcmu can ever be used
> without root anyway...
So you are right.. One possibility is we can implement some helper
functionalities in a daemon (such as tcmu-runner, or a new one), to which an
unprivileged qemu-tcmu then communicates this "export this LUN at XXX"
requests with a DBus call, similar to how libtcmu registers the new handler on
behalf of the program.
Fam
next prev parent reply other threads:[~2016-10-21 10:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 10:08 [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu Fam Zheng
2016-10-19 10:38 ` no-reply
2016-10-20 14:08 ` Stefan Hajnoczi
2016-10-20 14:30 ` Fam Zheng
2016-10-20 17:21 ` Andy Grover
2016-10-21 0:11 ` Fam Zheng
2016-10-21 9:54 ` Stefan Hajnoczi
2016-10-21 10:33 ` Fam Zheng [this message]
[not found] ` <CAD-gW=mZ6ByJAfzvAQs2c=N8MLEbG48UsaqhZiUJhEvWPDF3Lw@mail.gmail.com>
2016-10-21 0:09 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021103335.GD27213@lemon \
--to=famz@redhat.com \
--cc=agrover@redhat.com \
--cc=hchen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pkarampu@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.