From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=40482 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q0QMO-0007aR-Bt
	for qemu-devel@nongnu.org; Thu, 17 Mar 2011 23:28:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1Q0QMN-0001pa-0C
	for qemu-devel@nongnu.org; Thu, 17 Mar 2011 23:28:20 -0400
Received: from e23smtp08.au.ibm.com ([202.81.31.141]:34487)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1Q0QMM-0001oL-F0
	for qemu-devel@nongnu.org; Thu, 17 Mar 2011 23:28:18 -0400
Received: from d23relay04.au.ibm.com (d23relay04.au.ibm.com [202.81.31.246])
	by e23smtp08.au.ibm.com (8.14.4/8.13.1) with ESMTP id p2I3Mxoi023921
	for <qemu-devel@nongnu.org>; Fri, 18 Mar 2011 14:22:59 +1100
Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138])
	by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p2I3S4X42232504
	for <qemu-devel@nongnu.org>; Fri, 18 Mar 2011 14:28:06 +1100
Received: from d23av02.au.ibm.com (loopback [127.0.0.1])
	by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	p2I3S4WS027005
	for <qemu-devel@nongnu.org>; Fri, 18 Mar 2011 14:28:04 +1100
From: "M. Mohan Kumar" <mohan@in.ibm.com>
Date: Fri, 18 Mar 2011 08:57:48 +0530
Message-Id: <1300418881-20972-1-git-send-email-mohan@in.ibm.com>
Subject: [Qemu-devel] [V9 PATCH 00/13] virtio-9p: Use chroot to safely
	access files in passthrough security model
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@gmail.com>

In passthrough security model, following symbolic links in the server
side could result in TOCTTOU vulnerabilities.

This patchset resolves this issue by creating a dedicated process which
chroots into the share path and all file object access is done in the
chroot environment.

This patchset implements chroot enviroment, provides necessary functions
that can be used by the passthrough function calls.

Changes from version V8:
* Make chmod and chown also operate under chroot process
* Check for invalid path requests, minor cleanups

Changes from version V7:
* Add two chroot methods remove and rename
* Minor cleanups like consolidating functions

Changes from version V6:
* Send only fd/errno in socket operations instead of FdInfo structure
* Minor cleanups

Changes from version V5:
* Return errno on failure instead of setting errno
* Minor cleanups like updated comments, enable CONFIG_THREAD if
  CONFIG_VIRTFS is enabled

Changes from version V4:
* Avoid using malloc/free inside chroot process
* Seperate chroot server and client functions

Changes from version V3
* Return EIO incase of socket read/write fail instead of exiting
* Changed data types as suggested by Blue Swirl
* Chroot process reports error through qemu process

Changes from version V2
* Treat socket IO errors as fatal, ie qemu will exit
* Split patchset based on chroot side (server) and qemu side(client)
  functionalities

M. Mohan Kumar (13):
  Implement qemu_read_full
  virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled
  virtio-9p: Provide chroot worker side interfaces
  virtio-9p: Add qemu side interfaces for chroot environment
  virtio-9p: Add support to open a file in chroot environment
  virtio-9p: Create support in chroot environment
  virtio-9p: Support for creating special files
  virtio-9p: Add support for removing file or directory
  virtio-9p: Add support to rename
  virtio-9p: Move file post creation changes to none security model
  virtio-9p: Add support for chmod
  virtio-9p: Add support for chown
  virtio-9p: Chroot environment for other functions

 Makefile.objs                     |    1 +
 configure                         |    1 +
 hw/9pfs/virtio-9p-chroot-worker.c |  342 +++++++++++++++++++++++++++++++++++++
 hw/9pfs/virtio-9p-chroot.c        |  105 +++++++++++
 hw/9pfs/virtio-9p-chroot.h        |   47 +++++
 hw/9pfs/virtio-9p-local.c         |  332 +++++++++++++++++++++++++++---------
 hw/9pfs/virtio-9p.c               |   24 +++
 hw/file-op-9p.h                   |    3 +
 osdep.c                           |   32 ++++
 qemu-common.h                     |    2 +
 10 files changed, 811 insertions(+), 78 deletions(-)
 create mode 100644 hw/9pfs/virtio-9p-chroot-worker.c
 create mode 100644 hw/9pfs/virtio-9p-chroot.c
 create mode 100644 hw/9pfs/virtio-9p-chroot.h

-- 
1.7.3.4