From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: "M. Mohan Kumar" <mohan@in.ibm.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Re: [V8 PATCH 11/11] virtio-9p: Chroot environment for other functions
Date: Fri, 11 Mar 2011 07:23:23 -0800 [thread overview]
Message-ID: <4D7A3E6B.6070106@linux.vnet.ibm.com> (raw)
In-Reply-To: <AANLkTikor+K4Wp1q9cAvZbntzx3vPXe+L9v+VZSMb5sa@mail.gmail.com>
On 3/10/2011 10:30 PM, Stefan Hajnoczi wrote:
> On Fri, Mar 11, 2011 at 5:54 AM, Venkateswararao Jujjuri (JV)
> <jvrao@linux.vnet.ibm.com> wrote:
>> On 3/10/2011 4:29 AM, Stefan Hajnoczi wrote:
>>> On Wed, Mar 9, 2011 at 5:16 PM, M. Mohan Kumar <mohan@in.ibm.com> wrote:
>>>> Add chroot functionality for systemcalls that can operate on a file
>>>> using relative directory file descriptor.
>>>
>>> I suspect the relative directory approach is broken and escapes the
>>> chroot. Here's why:
>>>
>>> The request is local_chmod(fs_ctx, "/..", credp). dirname("/..") is
>>> "/" and basename("..") is "..".
>>
>> We should never receive protocol operations with relative path.
>> Client should always resolve to full path and send the request.
>> If the client is malicious this scenario can be be possible.. but in that case
>> it is fine to fail the operation.
>
> What I haven't audited yet is whether symlinks can be abused in any of
> these *at(2) operations.
Reading symlink sends only contents to the client. So a symlink can contain
anything.
But when the fully populated path comes we avoid the potential symlink issue by
opening
the entire dir in chrooted process.
>
> The *at(2) approach seems like a shortcut to avoid implementing
> individual chroot protocol requests/responses for stat(2) and friends.
> But it carries the risk that if we don't use NOFOLLOW then we can be
> tricked into escaping the "chroot" because we're performing the
> operation outside the chroot.
I would agree with your observation. With *at(2) we need the following:
1. The path should never have ".." May be we can check it early enough and fail.
2. Get the pfd from the chroot_thread
3. use NO_FOLLOW.
If we do all three then we are fool prof.
>
> I'll take a look later today to make sure all operations safe traverse
> paths outside the chroot.
If we move all the operations to chroot, we are essentially serializing all
operations.
But the code looks lot cleaner though.
- JV
>
> Stefan
>
prev parent reply other threads:[~2011-03-11 15:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-09 17:15 [Qemu-devel] [V8 PATCH 00/11] virtio-9p: Use chroot to safely access files in passthrough security model M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 01/11] Implement qemu_read_full M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 02/11] virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 03/11] virtio-9p: Provide chroot worker side interfaces M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 04/11] virtio-9p: Add qemu side interfaces for chroot environment M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 05/11] virtio-9p: Add support to open a file in " M. Mohan Kumar
2011-03-10 11:09 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 06/11] virtio-9p: Create support " M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 07/11] virtio-9p: Support for creating special files M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 08/11] virtio-9p: Add support for removing file or directory M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 09/11] virtio-9p: Add support to rename M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 10/11] virtio-9p: Move file post creation changes to none security model M. Mohan Kumar
2011-03-09 17:16 ` [Qemu-devel] [V8 PATCH 11/11] virtio-9p: Chroot environment for other functions M. Mohan Kumar
2011-03-10 12:29 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-11 5:54 ` Venkateswararao Jujjuri (JV)
2011-03-11 6:30 ` Stefan Hajnoczi
2011-03-11 15:23 ` Venkateswararao Jujjuri (JV) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D7A3E6B.6070106@linux.vnet.ibm.com \
--to=jvrao@linux.vnet.ibm.com \
--cc=mohan@in.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.