Re: [Qemu-devel] [V11 00/15] virtio-9p: Use chroot to safely access files in passthrough security model

["M. Mohan Kumar" <mohan@in.ibm.com>]

On Sun, Jun 26, 2011 at 09:22:27PM +0300, Blue Swirl wrote:
> On Fri, Jun 24, 2011 at 11:22 AM, M. Mohan Kumar <mohan@in.ibm.com> wrote:
> > In passthrough security model, following symbolic links in the server
> > side could result in TOCTTOU vulnerabilities.
> > (http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use)
> >
> > This patchset resolves this issue by creating a dedicated process which
> > chroots into the share path and all file object access is done in the
> > chroot environment.
> >
> > This patchset implements chroot enviroment, provides necessary functions
> > that can be used by the passthrough function calls.
> 
> This could be interesting also for privilege separation. A helper
> process like this could access and reopen the image files etc. while
> the rest of QEMU could run in a jail.
As of now this is not generic helper, its meant for 9p export only. If
needed we can add another process which can be a helper routine for qemu.

> 
> > This patchset is rebased on top of 9p coroutines patches posted to
> > qemu-devel list
> > http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg02796.html
> 
> Aren't the coroutines running in same process, so don't they share the
> root? Also the coroutines are implemented in several OS dependent
> ways.
> 

Chroot is done in a forked process, so it won't affect others. I mentioned
about co-routines because this patchset is rebased on top of coroutines
patchset that are not yet part of mainline qemu.