From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=34698 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pk8gV-0002fE-NZ for qemu-devel@nongnu.org; Tue, 01 Feb 2011 00:21:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pk8gP-0005lJ-L5 for qemu-devel@nongnu.org; Tue, 01 Feb 2011 00:21:47 -0500 Received: from e28smtp01.in.ibm.com ([122.248.162.1]:36076) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pk8gP-0005jl-09 for qemu-devel@nongnu.org; Tue, 01 Feb 2011 00:21:41 -0500 Received: from d28relay03.in.ibm.com (d28relay03.in.ibm.com [9.184.220.60]) by e28smtp01.in.ibm.com (8.14.4/8.13.1) with ESMTP id p115LZwf030788 for ; Tue, 1 Feb 2011 10:51:35 +0530 Received: from d28av03.in.ibm.com (d28av03.in.ibm.com [9.184.220.65]) by d28relay03.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p115LY3D3661966 for ; Tue, 1 Feb 2011 10:51:34 +0530 Received: from d28av03.in.ibm.com (loopback [127.0.0.1]) by d28av03.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p115LX8G029920 for ; Tue, 1 Feb 2011 16:21:33 +1100 Received: from explorer.in.ibm.com ([9.124.35.46]) by d28av03.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p115LXeX029915 for ; Tue, 1 Feb 2011 16:21:33 +1100 From: "M. Mohan Kumar" Date: Tue, 1 Feb 2011 10:51:33 +0530 Message-Id: <1296537693-16406-1-git-send-email-mohan@in.ibm.com> Subject: [Qemu-devel] [V4 PATCH 0/8] virtio-9p: Use chroot to safely access files in passthrough security model List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org In passthrough security model, following symbolic links in the server side could result in TOCTTOU vulnerabilities. This patchset resolves this issue by creating a dedicated process which chroots into the share path and all file object access is done in the chroot environment. This patchset implements chroot enviroment, provides necessary functions that can be used by the passthrough function calls. Changes from version V3 * Return EIO incase of socket read/write fail instead of exiting * Changed data types as suggested by Blue Swirl * Chroot process reports error through qemu process when possible Changes from version V2 * Treat socket IO errors as fatal, ie qemu will exit * Split patchset based on chroot side (server) and qemu side(client) functionalities M. Mohan Kumar (8): Implement qemu_read_full Provide chroot environment server side interfaces Add client side interfaces for chroot environment Add support to open a file in chroot environment Create support in chroot environment Support for creating special files Move file post creation changes to none security model Chroot environment for other functions Makefile.objs | 1 + hw/9pfs/virtio-9p-chroot.c | 463 ++++++++++++++++++++++++++++++++++++++++++++ hw/9pfs/virtio-9p-chroot.h | 44 +++++ hw/9pfs/virtio-9p-local.c | 455 +++++++++++++++++++++++++++++++++++-------- hw/9pfs/virtio-9p.c | 33 +++ hw/file-op-9p.h | 3 + osdep.c | 32 +++ qemu-common.h | 2 + 8 files changed, 953 insertions(+), 80 deletions(-) create mode 100644 hw/9pfs/virtio-9p-chroot.c create mode 100644 hw/9pfs/virtio-9p-chroot.h -- 1.7.3.4