From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:45024) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8uzV-00032w-SU for qemu-devel@nongnu.org; Wed, 28 Sep 2011 10:20:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R8uzQ-0008SX-S9 for qemu-devel@nongnu.org; Wed, 28 Sep 2011 10:20:05 -0400 Received: from e23smtp05.au.ibm.com ([202.81.31.147]:56194) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8uzQ-0008S9-BL for qemu-devel@nongnu.org; Wed, 28 Sep 2011 10:20:00 -0400 Received: from d23relay04.au.ibm.com (d23relay04.au.ibm.com [202.81.31.246]) by e23smtp05.au.ibm.com (8.14.4/8.13.1) with ESMTP id p8SECnLt001842 for ; Thu, 29 Sep 2011 00:12:49 +1000 Received: from d23av03.au.ibm.com (d23av03.au.ibm.com [9.190.234.97]) by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p8SEHZKe2060432 for ; Thu, 29 Sep 2011 00:17:35 +1000 Received: from d23av03.au.ibm.com (loopback [127.0.0.1]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p8SEJcAs001755 for ; Thu, 29 Sep 2011 00:19:38 +1000 From: "M. Mohan Kumar" Date: Wed, 28 Sep 2011 19:49:34 +0530 MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201109281949.34532.mohan@in.ibm.com> Subject: [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, libvir-list@redhat.com Cc: Stefan Hajnoczi Pass-through security model in QEMU 9p server needs root privilege to do few file operations (like chown, chmod to any mode/uid:gid). There are two issues in pass-through security model 1) TOCTTOU vulnerability: Following symbolic links in the server could provide access to files beyond 9p export path. 2) When libvirt is configured to run qemu as non-root user (for example, if qemu is configured to run as normal user 'qemu'), running file operations on pass-through security model would fail because it needs root privileges. To overcome above issues, following approach is suggested: A new filesytem type 'proxy' is introduced. Proxy FS uses chroot + socket combination for securing the vulnerability known with following symbolic links. Intention of adding a new filesystem type is to allow qemu to run in non-root mode, but doing privileged operations using socket IO. A new binary (known as proxy helper) will be provided as part of qemu. Proxy helper will chroot into 9p export path and create a socket pair or a named socket based on the command line parameter. Qemu and proxy helper will communicate using this socket. We need following changes in the libvirt code to accomodate new 'proxy' filesystem type: If qemu 9p server is configured to use 'proxy' FS, libvirt will do * Create a socket pair * invoke proxy_helper binary with one of the socket id from the pair as command line parameters to it with root privilege * invoke qemu with one of socket id from the pair as paramter to qemu virtfs after dropping to the configured user privilege. ie, libvirt will invoke proxy_helper as: proxy_helper -i -p <9p-path-to-export> and qemu will be invoked with following virtfs parameter: -virtfs proxy,id=,sock_fd= ,path=/tmp/,security_model=prox,mount_tag=v_pass People who want to use proxy_helper without libvirt can use following interface: $ proxy_helper -s -p <9p-path-to-export> With following qemu fsdev parameter: -virtfs proxy,id=,socket=,path=/tmp/, security_model=prox,mount_tag=v_pass -- Regards, M. Mohan Kumar