From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34149) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxX8v-0003xO-IR for qemu-devel@nongnu.org; Fri, 21 Oct 2016 06:33:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxX8s-0001kh-FR for qemu-devel@nongnu.org; Fri, 21 Oct 2016 06:33:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:55584) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bxX8s-0001kZ-A0 for qemu-devel@nongnu.org; Fri, 21 Oct 2016 06:33:38 -0400 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7870A9D0C5 for ; Fri, 21 Oct 2016 10:33:37 +0000 (UTC) Date: Fri, 21 Oct 2016 18:33:35 +0800 From: Fam Zheng Message-ID: <20161021103335.GD27213@lemon> References: <1476871708-25096-1-git-send-email-famz@redhat.com> <20161020140827.GA2733@stefanha-x1.localdomain> <20161020143059.GA21349@lemon> <16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com> <20161021001147.GB27213@lemon> <20161021095437.GC4648@stefanha-x1.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161021095437.GC4648@stefanha-x1.localdomain> Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Vijay Bellur , Pranith Kumar Karampuri , qemu-devel@nongnu.org, Paolo Bonzini , Andy Grover , Huamin Chen On Fri, 10/21 10:54, Stefan Hajnoczi wrote: > On Fri, Oct 21, 2016 at 08:11:47AM +0800, Fam Zheng wrote: > > On Thu, 10/20 10:21, Andy Grover wrote: > > > On 10/20/2016 07:30 AM, Fam Zheng wrote: > > > > On Thu, 10/20 15:08, Stefan Hajnoczi wrote: > > > > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu > > > > > process, does /dev/uio0 or the tcmu shared memory interface allow get > > > > > root or kernel privileges? > > > > > > > > I haven't audited the code, but target_core_user.ko should contain the access to > > > > /dev/uioX and make sure there is no security risk regarding buggy or malicious > > > > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm > > > > wrong. > > > > > > Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory > > > outside the shared memory area. > > > > Thanks! > > > > > > > > UIO devices are basically a "device drivers in userspace" kind of API so > > > they require root to use. I seem to remember somebody mentioning ways this > > > might work for less-privileged handlers (fd-passing??) but no way to do this > > > exists just yet. > > > > In my example in the cover letter I use chmod + non-root which seems to be > > working properly. So I think fd-passing is a promising mechanism. > > Is there any way to use the in-kernel SCSI target without root? > > For example, if an unprivileged user wants to run an iSCSI target on an > unprivileged port to serve up a regular file (test.img). No, not possible even on an unprivileged port AFAICT. Accessing targetcli requires root. > > If the answer is no then it's unlikely qemu-tcmu can ever be used > without root anyway... So you are right.. One possibility is we can implement some helper functionalities in a daemon (such as tcmu-runner, or a new one), to which an unprivileged qemu-tcmu then communicates this "export this LUN at XXX" requests with a DBus call, similar to how libtcmu registers the new handler on behalf of the program. Fam