From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:37252) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RB2rn-0001B5-Jj for qemu-devel@nongnu.org; Tue, 04 Oct 2011 07:08:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RB2rj-0007te-J4 for qemu-devel@nongnu.org; Tue, 04 Oct 2011 07:08:55 -0400 Received: from e23smtp01.au.ibm.com ([202.81.31.143]:35875) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RB2ri-0007t2-VX for qemu-devel@nongnu.org; Tue, 04 Oct 2011 07:08:51 -0400 Received: from d23relay05.au.ibm.com (d23relay05.au.ibm.com [202.81.31.247]) by e23smtp01.au.ibm.com (8.14.4/8.13.1) with ESMTP id p94B6t1e019308 for ; Tue, 4 Oct 2011 22:06:55 +1100 Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p94B6F9o2109458 for ; Tue, 4 Oct 2011 22:06:17 +1100 Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p94B8Sw8014245 for ; Tue, 4 Oct 2011 22:08:28 +1100 From: "M. Mohan Kumar" Date: Tue, 4 Oct 2011 16:38:22 +0530 References: <201109281949.34532.mohan@in.ibm.com> <201109292342.47489.mohan@in.ibm.com> <20110930095615.GB13701@redhat.com> In-Reply-To: <20110930095615.GB13701@redhat.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201110041638.22977.mohan@in.ibm.com> Subject: Re: [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: libvir-list@redhat.com, qemu-devel@nongnu.org, Stefan Hajnoczi > > That is the case if the proxy helper code is perfectly written. I am trying > to think about the scenario where there is a bug (eg heap corruption / > stack overflow) which allows a malicious non-root QEMU process to exploit > the proxy helper to run code that it was *not* intended to run. > > If the proxy helper is running root with all capabilities, then a bug in > the proxy helper can easily turn into a full root exploit. > > If the proxy helper starts as root, chroots, and then immediately drops to > a non-root user, keeping only the CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER > and CAP_DAC_READ_SEARCH capabilities, then a bug in the proxy helper can > only be used to access files within the designated 9pfs export. If the > exported directory does not contain any important host system files, then > it is unlikely it can be used to create a full root exploit. > Thanks Daniel, I will add 'capabiliies' to proxy helper. CAP_FOWNER capability also need. I am working on the patches. I will post them in few days.