From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=58353 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PxMzj-00056a-Ca for qemu-devel@nongnu.org; Wed, 09 Mar 2011 12:16:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PxMzh-0005Mz-0x for qemu-devel@nongnu.org; Wed, 09 Mar 2011 12:16:18 -0500 Received: from e28smtp05.in.ibm.com ([122.248.162.5]:51976) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PxMzg-0005MG-BD for qemu-devel@nongnu.org; Wed, 09 Mar 2011 12:16:16 -0500 Received: from d28relay01.in.ibm.com (d28relay01.in.ibm.com [9.184.220.58]) by e28smtp05.in.ibm.com (8.14.4/8.13.1) with ESMTP id p29HG9lT018670 for ; Wed, 9 Mar 2011 22:46:09 +0530 Received: from d28av01.in.ibm.com (d28av01.in.ibm.com [9.184.220.63]) by d28relay01.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p29HG7pi4141130 for ; Wed, 9 Mar 2011 22:46:08 +0530 Received: from d28av01.in.ibm.com (loopback [127.0.0.1]) by d28av01.in.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p29HG4rQ020132 for ; Wed, 9 Mar 2011 22:46:04 +0530 From: "M. Mohan Kumar" Date: Wed, 9 Mar 2011 22:45:49 +0530 Message-Id: <1299690960-12007-1-git-send-email-mohan@in.ibm.com> Subject: [Qemu-devel] [V8 PATCH 00/11] virtio-9p: Use chroot to safely access files in passthrough security model List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, Stefan Hajnoczi In passthrough security model, following symbolic links in the server side could result in TOCTTOU vulnerabilities. This patchset resolves this issue by creating a dedicated process which chroots into the share path and all file object access is done in the chroot environment. This patchset implements chroot enviroment, provides necessary functions that can be used by the passthrough function calls. Changes from version V7: * Add two chroot methods remove and rename * Minor cleanups like consolidating functions Changes from version V6: * Send only fd/errno in socket operations instead of FdInfo structure * Minor cleanups Changes from version V5: * Return errno on failure instead of setting errno * Minor cleanups like updated comments, enable CONFIG_THREAD if CONFIG_VIRTFS is enabled Changes from version V4: * Avoid using malloc/free inside chroot process * Seperate chroot server and client functions Changes from version V3 * Return EIO incase of socket read/write fail instead of exiting * Changed data types as suggested by Blue Swirl * Chroot process reports error through qemu process Changes from version V2 * Treat socket IO errors as fatal, ie qemu will exit * Split patchset based on chroot side (server) and qemu side(client) functionalities M. Mohan Kumar (11): Implement qemu_read_full virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled virtio-9p: Provide chroot worker side interfaces virtio-9p: Add qemu side interfaces for chroot environment virtio-9p: Add support to open a file in chroot environment virtio-9p: Create support in chroot environment virtio-9p: Support for creating special files virtio-9p: Add support for removing file or directory virtio-9p: Add support to rename virtio-9p: Move file post creation changes to none security model virtio-9p: Chroot environment for other functions Makefile.objs | 1 + configure | 1 + hw/9pfs/virtio-9p-chroot-worker.c | 306 ++++++++++++++++++++++++++++++++ hw/9pfs/virtio-9p-chroot.c | 104 +++++++++++ hw/9pfs/virtio-9p-chroot.h | 47 +++++ hw/9pfs/virtio-9p-local.c | 355 ++++++++++++++++++++++++++++-------- hw/9pfs/virtio-9p.c | 25 +++ hw/file-op-9p.h | 4 + osdep.c | 32 ++++ qemu-common.h | 2 + 10 files changed, 798 insertions(+), 79 deletions(-) create mode 100644 hw/9pfs/virtio-9p-chroot-worker.c create mode 100644 hw/9pfs/virtio-9p-chroot.c create mode 100644 hw/9pfs/virtio-9p-chroot.h -- 1.7.3.4