From: "Marc-André Lureau" <mlureau@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Rafael David Tinoco <rafael.tinoco@canonical.com>,
qemu-devel <qemu-devel@nongnu.org>,
1626972@bugs.launchpad.net,
marcandre lureau <marcandre.lureau@redhat.com>,
mst@redhat.com
Subject: Re: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism
Date: Tue, 27 Sep 2016 08:25:08 -0400 (EDT) [thread overview]
Message-ID: <71469578.285028.1474979108910.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <20160927121608.GL3967@redhat.com>
Hi
----- Original Message -----
> On Tue, Sep 27, 2016 at 07:13:55AM -0400, Marc-André Lureau wrote:
> > Hi
> >
> > ----- Original Message -----
> > >
> > > > On Sep 27, 2016, at 05:36, Daniel P. Berrange <berrange@redhat.com>
> > > > wrote:
> > > >
> > > > On Tue, Sep 27, 2016 at 03:06:21AM +0000, Rafael David Tinoco wrote:
> > > > We should not have QEMU creating unpredictabile filenames in the
> > > > first place - any filenames should be determined by libvirt
> > > > explicitly.
> > >
> > > Note that the filename, per se, is not as important as other files,
> > > since qemu won't provide it for being accessed by external programs, and,
> > > deletes the file, while keeping the descriptor, right after its creation
> > > (due to its nature, that is probably why it was created in /tmp).
> > >
> > > Having libvirt to define a filename that would not be used for recent
> > > kernels (> 3.17) and would exist for a fraction of second doesn't seem
> > > right to me.
> > >
> >
> > There are other parts of qemu that rely on creating temporary files, and
> > this seems to lack a bit of uniformity. Would it make sense to define a
> > place where qemu could create those? Or setting TMPDIR should help too.
> > Could libvirt set a per-vm TMPDIR with appropriate security rules?
>
> The other places that use mkstemp are block for snapshot=on, which
> libvirt does not support as we want control over the filename. This
> needs fixing by allowing a filename to be given. The qemu sockets code
> uses it for auto-creating a UNIX domain socket path, but again libvirt
> doesn't support that usage. The exec.c file uses it, but that honours
> an explicit directory path provided on the command line. So this memfd
> code really is the first place which is causing a real
Have you reviewed the hundreds of libraries qemu link to? :)
> Just setting TMPDIR per VM doesn't magically solve all these cases as
> it isn't reasonable to assume that all these files should be in the
> same location. Certainly block snapshot file will be somewhere different
> from others, due to its size.
I am not claiming it solves all problems, but at least it seems it would be quite appropriate for security concerns to have per-vm TMPDIR.
next prev parent reply other threads:[~2016-09-27 12:25 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 11:03 [Qemu-devel] [Bug 1626972] [NEW] QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-09-23 11:04 ` [Qemu-devel] [Bug 1626972] " Rafael David Tinoco
2016-09-23 11:05 ` Rafael David Tinoco
2016-09-23 13:26 ` Rafael David Tinoco
2016-09-27 3:06 ` [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism Rafael David Tinoco
2016-09-27 8:36 ` Daniel P. Berrange
2016-09-27 11:01 ` Rafael David Tinoco
2016-09-27 11:13 ` Marc-André Lureau
2016-09-27 11:31 ` Rafael David Tinoco
2016-09-27 12:16 ` Daniel P. Berrange
2016-09-27 12:25 ` Marc-André Lureau [this message]
2016-10-03 17:38 ` Rafael David Tinoco
2016-09-27 12:18 ` [Qemu-devel] [Bug 1626972] " Daniel P. Berrange
2016-10-03 15:41 ` Rafael David Tinoco
2016-10-03 17:55 ` Daniel P. Berrange
2016-10-03 18:46 ` Rafael David Tinoco
2016-10-03 19:15 ` Rafael David Tinoco
2016-10-04 8:36 ` Daniel P. Berrange
2016-10-04 12:18 ` Rafael David Tinoco
2016-10-04 12:39 ` Marc-André Lureau
2016-10-04 12:42 ` Daniel P. Berrange
2016-10-04 13:10 ` Marc-André Lureau
2016-10-04 13:25 ` Daniel P. Berrange
[not found] ` <0BC69111-0BFC-444D-8BB4-D99F00D42401@canonical.com>
2016-10-04 13:34 ` Rafael David Tinoco
2016-10-04 13:50 ` Marc-André Lureau
2016-10-04 15:29 ` Rafael David Tinoco
2016-10-21 3:03 ` Rafael David Tinoco
2016-10-21 3:09 ` Rafael David Tinoco
2016-10-21 18:08 ` Marc-André Lureau
2016-10-04 13:46 ` Marc-André Lureau
2016-10-04 13:29 ` Rafael David Tinoco
2016-09-27 3:30 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-10-22 21:54 ` [Qemu-devel] [Bug 1626972] Fwd: [PATCH] vhost: secure vhost shared log files using argv paremeter Rafael David Tinoco
2016-10-22 21:55 ` Rafael David Tinoco
2016-11-18 10:04 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-11-18 10:06 ` Louis Bouchard
2016-11-18 10:07 ` Rafael David Tinoco
2016-11-18 10:21 ` Rafael David Tinoco
2016-11-18 11:14 ` ChristianEhrhardt
2016-11-18 11:31 ` Billy Olsen
2016-11-18 11:32 ` Rafael David Tinoco
2016-11-22 9:59 ` Rafael David Tinoco
2016-11-22 10:01 ` Rafael David Tinoco
2016-11-22 11:47 ` Rafael David Tinoco
2016-11-22 12:02 ` Rafael David Tinoco
2016-11-22 12:13 ` ChristianEhrhardt
2016-11-22 12:08 ` Rafael David Tinoco
2016-11-22 12:29 ` Rafael David Tinoco
2016-11-22 13:32 ` ChristianEhrhardt
2016-11-23 11:24 ` ChristianEhrhardt
2016-11-23 11:27 ` ChristianEhrhardt
2016-11-23 11:30 ` ChristianEhrhardt
2016-11-23 15:26 ` Launchpad Bug Tracker
2016-11-23 15:46 ` ChristianEhrhardt
2016-11-23 22:38 ` Martin Pitt
2016-11-24 8:35 ` Thomas Huth
2016-11-28 20:36 ` James Page
2016-12-01 14:56 ` James Page
2016-12-01 19:10 ` Brian Murray
2016-12-08 8:49 ` Antonio Messina
2016-12-08 9:29 ` James Page
2016-12-08 11:14 ` Rafael David Tinoco
2016-12-08 11:16 ` Rafael David Tinoco
2017-01-11 3:24 ` Rafael David Tinoco
2017-01-11 13:47 ` Rafael David Tinoco
2017-01-16 11:39 ` Thomas Huth
2017-01-19 16:03 ` Launchpad Bug Tracker
2017-01-19 16:04 ` [Qemu-devel] [Bug 1626972] Update Released Brian Murray
2017-01-23 19:27 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers ChristianEhrhardt
2017-01-24 0:52 ` Rafael David Tinoco
2017-01-24 7:55 ` ChristianEhrhardt
2017-01-24 11:41 ` Rafael David Tinoco
2017-01-25 10:23 ` Launchpad Bug Tracker
2017-02-15 15:52 ` Rafael David Tinoco
2017-08-07 14:51 ` James Page
-- strict thread matches above, loose matches on Subject: below --
2016-09-27 3:19 [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism Rafael David Tinoco
2016-09-27 4:20 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=71469578.285028.1474979108910.JavaMail.zimbra@redhat.com \
--to=mlureau@redhat.com \
--cc=1626972@bugs.launchpad.net \
--cc=berrange@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rafael.tinoco@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.