From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:45837)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jvrao@linux.vnet.ibm.com>) id 1QWumI-0000gm-P0
	for qemu-devel@nongnu.org; Wed, 15 Jun 2011 14:25:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jvrao@linux.vnet.ibm.com>) id 1QWumG-0005ZG-MO
	for qemu-devel@nongnu.org; Wed, 15 Jun 2011 14:25:22 -0400
Received: from e1.ny.us.ibm.com ([32.97.182.141]:42155)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jvrao@linux.vnet.ibm.com>) id 1QWueE-0004Sn-P9
	for qemu-devel@nongnu.org; Wed, 15 Jun 2011 14:17:02 -0400
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235])
	by e1.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id p5FI4w3E030633
	for <qemu-devel@nongnu.org>; Wed, 15 Jun 2011 14:04:58 -0400
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
	by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p5FIGgTZ133016
	for <qemu-devel@nongnu.org>; Wed, 15 Jun 2011 14:16:42 -0400
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
	by d03av04.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id p5FCGd5s003602
	for <qemu-devel@nongnu.org>; Wed, 15 Jun 2011 06:16:39 -0600
Message-ID: <4DF8F706.4080709@linux.vnet.ibm.com>
Date: Wed, 15 Jun 2011 11:16:38 -0700
From: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <20110614081244.GB3428@in.ibm.com>
	<BANLkTi=O8FfU1p=OpdtCnfJMQs=in2UZrA@mail.gmail.com>
In-Reply-To: <BANLkTi=O8FfU1p=OpdtCnfJMQs=in2UZrA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix
 TOCTOU vulnerability
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: mohan@in.ibm.com, qemu-devel@nongnu.org

On 06/15/2011 10:35 AM, Stefan Hajnoczi wrote:
> On Tue, Jun 14, 2011 at 9:12 AM, M. Mohan Kumar<mohan@in.ibm.com>  wrote:
>> [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
>>
>> In passthrough security model, following a symbolic link in the server
>> side could result in TOCTTOU vulnerability.
>>
>> Use clone system call to create a thread which runs in chrooted
>> environment. All passthrough model file operations are done from this
>> thread to avoid TOCTTOU vulnerability.
> How will chroot(2) work when QEMU runs as non-root (i.e. secure
> production environments)?
>
This is used only in passthrough mode; passthrough mode needs root 
access by design.
There is no TOCTTOU vulnerability in mapped mode as symlinks are not 
actual symlinks on host FS.

JV

> Stefan