Re: [Qemu-devel] [PATCH v4 10/29] HACK: vhost-user-backend: allow to specify binary to execute

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, Jul 13, 2018 at 03:08:57PM +0200, Marc-André Lureau wrote:
> An executable with its arguments may be given as 'cmd' property, ex:
> -object vhost-user-backend,id=vui,cmd="./vhost-user-input
> /dev/input..". The executable is then spawn and, by convention, the
> vhost-user socket is passed as fd=3. It may be considered a security
> breach to allow creating processes that may execute arbitrary
> executables, so this may be restricted to some known executables (via
> signature etc) or directory.

NB, Libvirt runs all QEMU instances with a seccomp policy that forbids
any use of execve(), so libvirt won't use 'cmd' at all.

> To make the patch more acceptable, the command argument would have to
> be passed via an array (probably via -object json: syntax), instead of
> using g_shell_parse_argv().

I still think we should not allow args to be specified at all. Declare
a stable API contract for this script where QEMU defines what argv and
env will be provided, in the same way we do for TAP ifup scripts. Then
on the CLI we'd only need a binary path.

> diff --git a/backends/vhost-user.c b/backends/vhost-user.c
> index bf39c0751d..32d3ec0e8b 100644
> --- a/backends/vhost-user.c
> +++ b/backends/vhost-user.c
> @@ -136,31 +136,105 @@ vhost_user_backend_stop(VhostUserBackend *b)
>      b->started = false;
>  }
>  
> +static void
> +pre_exec_cb(void *data)
> +{
> +    int *sv = data;
> +    int maxfd = sysconf(_SC_OPEN_MAX);
> +    int fd;
> +
> +    dup2(sv[1], 3);

error checking...

> +    for (fd = 4; fd < maxfd; fd++) {
> +        close(fd);

This shouldn't fail, but to be robust we should check
errors anyway.

> +    }
> +}
> +

> diff --git a/qemu-options.hx b/qemu-options.hx
> index 413b97d5e9..9243a5f8ab 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -4292,16 +4292,20 @@ secondary:
>  If you want to know the detail of above command line, you can read
>  the colo-compare git log.
>  
> -@item -object vhost-user-backend,id=id=@var{id},chardev=@var{chardevid}
> +@item -object vhost-user-backend,id=id=@var{id}[,chardev=@var{chardevid},cmd=@var{cmd}]
>  
>  Create a vhost-user-backend object that holds a connection to a
>  vhost-user backend and can be referenced from virtio/vhost-user
>  devices that support it.
>  
>  The @var{id} parameter is a unique ID that will be used to reference
> -this vhost-user backend from the @option{vhost-user} device. The
> -@var{chardev} parameter is the unique ID of a character device backend
> -that provides the connection to the vhost-user slave process. (Since 3.0)
> +this vhost-user backend from the @option{vhost-user} device.
> +
> +You must specify either @var{chardev} or @var{cmd}. The @var{chardev}
> +parameter is the unique ID of a character device backend that provides
> +the connection to the vhost-user slave process.  The @var{cmd}
> +parameter will simplify handling of the backend, by running the given
> +command and establishing the connection. (Since 3.1)

Should note that 'cmd' is not usable with seccomp policy that blocks
execve.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|