From: "M. Mohan Kumar" <mohan@in.ibm.com>
To: qemu-devel@nongnu.org, libvir-list@redhat.com
Cc: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Subject: [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p
Date: Wed, 28 Sep 2011 19:49:34 +0530 [thread overview]
Message-ID: <201109281949.34532.mohan@in.ibm.com> (raw)
Pass-through security model in QEMU 9p server needs root privilege to do few
file operations (like chown, chmod to any mode/uid:gid). There are two issues
in pass-through security model
1) TOCTTOU vulnerability: Following symbolic links in the server could
provide access to files beyond 9p export path.
2) When libvirt is configured to run qemu as non-root user (for example, if
qemu is configured to run as normal user 'qemu'), running file operations on
pass-through security model would fail because it needs root privileges.
To overcome above issues, following approach is suggested: A new filesytem
type 'proxy' is introduced. Proxy FS uses chroot + socket combination for
securing the vulnerability known with following symbolic links. Intention of
adding a new filesystem type is to allow qemu to run in non-root mode, but
doing privileged operations using socket IO.
A new binary (known as proxy helper) will be provided as part of qemu. Proxy
helper will chroot into 9p export path and create a socket pair or a named
socket based on the command line parameter. Qemu and proxy helper will
communicate using this socket.
We need following changes in the libvirt code to accomodate new 'proxy'
filesystem type:
If qemu 9p server is configured to use 'proxy' FS, libvirt will do
* Create a socket pair
* invoke proxy_helper binary with one of the socket id from the pair as
command line parameters to it with root privilege
* invoke qemu with one of socket id from the pair as paramter to qemu virtfs
after dropping to the configured user privilege.
ie, libvirt will invoke proxy_helper as:
proxy_helper -i <socket_fd_from_socket_pair> -p <9p-path-to-export>
and qemu will be invoked with following virtfs parameter:
-virtfs proxy,id=<id>,sock_fd=<socket_fd_from_socket_pair>
,path=/tmp/,security_model=prox,mount_tag=v_pass
People who want to use proxy_helper without libvirt can use following
interface:
$ proxy_helper -s </socket/path> -p <9p-path-to-export>
With following qemu fsdev parameter:
-virtfs proxy,id=<id>,socket=</socket/path>,path=/tmp/,
security_model=prox,mount_tag=v_pass
--
Regards,
M. Mohan Kumar
next reply other threads:[~2011-09-28 14:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-28 14:19 M. Mohan Kumar [this message]
2011-09-28 14:59 ` [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p Daniel P. Berrange
2011-09-29 18:12 ` M. Mohan Kumar
2011-09-30 9:56 ` Daniel P. Berrange
2011-10-04 11:08 ` M. Mohan Kumar
2011-10-10 8:10 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201109281949.34532.mohan@in.ibm.com \
--to=mohan@in.ibm.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).