From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36689) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1borRm-0005DU-Bz for qemu-devel@nongnu.org; Tue, 27 Sep 2016 08:25:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1borRg-0001Qg-OG for qemu-devel@nongnu.org; Tue, 27 Sep 2016 08:25:17 -0400 Received: from mx4-phx2.redhat.com ([209.132.183.25]:38021) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1borRg-0001PT-Gp for qemu-devel@nongnu.org; Tue, 27 Sep 2016 08:25:12 -0400 Date: Tue, 27 Sep 2016 08:25:08 -0400 (EDT) From: =?utf-8?Q?Marc-Andr=C3=A9?= Lureau Message-ID: <71469578.285028.1474979108910.JavaMail.zimbra@redhat.com> In-Reply-To: <20160927121608.GL3967@redhat.com> References: <20160927030621.20862-1-rafael.tinoco@canonical.com> <20160927083626.GC3967@redhat.com> <7220810B-7C81-4B51-BDE5-7BC0022F3605@canonical.com> <419845482.265853.1474974835801.JavaMail.zimbra@redhat.com> <20160927121608.GL3967@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Rafael David Tinoco , qemu-devel , 1626972@bugs.launchpad.net, marcandre lureau , mst@redhat.com Hi ----- Original Message ----- > On Tue, Sep 27, 2016 at 07:13:55AM -0400, Marc-Andr=C3=A9 Lureau wrote: > > Hi > >=20 > > ----- Original Message ----- > > >=20 > > > > On Sep 27, 2016, at 05:36, Daniel P. Berrange > > > > wrote: > > > >=20 > > > > On Tue, Sep 27, 2016 at 03:06:21AM +0000, Rafael David Tinoco wrote= : > > > > We should not have QEMU creating unpredictabile filenames in the > > > > first place - any filenames should be determined by libvirt > > > > explicitly. > > >=20 > > > Note that the filename, per se, is not as important as other files, > > > since qemu won't provide it for being accessed by external programs, = and, > > > deletes the file, while keeping the descriptor, right after its creat= ion > > > (due to its nature, that is probably why it was created in /tmp). > > >=20 > > > Having libvirt to define a filename that would not be used for recent > > > kernels (> 3.17) and would exist for a fraction of second doesn't see= m > > > right to me. > > >=20 > >=20 > > There are other parts of qemu that rely on creating temporary files, an= d > > this seems to lack a bit of uniformity. Would it make sense to define a > > place where qemu could create those? Or setting TMPDIR should help too. > > Could libvirt set a per-vm TMPDIR with appropriate security rules? >=20 > The other places that use mkstemp are block for snapshot=3Don, which > libvirt does not support as we want control over the filename. This > needs fixing by allowing a filename to be given. The qemu sockets code > uses it for auto-creating a UNIX domain socket path, but again libvirt > doesn't support that usage. The exec.c file uses it, but that honours > an explicit directory path provided on the command line. So this memfd > code really is the first place which is causing a real Have you reviewed the hundreds of libraries qemu link to? :) > Just setting TMPDIR per VM doesn't magically solve all these cases as > it isn't reasonable to assume that all these files should be in the > same location. Certainly block snapshot file will be somewhere different > from others, due to its size. I am not claiming it solves all problems, but at least it seems it would be= quite appropriate for security concerns to have per-vm TMPDIR.