From: Rafael David Tinoco <rafael.tinoco@canonical.com>
To: qemu-devel@nongnu.org
Cc: 1626972@bugs.launchpad.net, mst@redhat.com, marcandre.lureau@redhat.com
Subject: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism
Date: Tue, 27 Sep 2016 03:06:21 +0000 [thread overview]
Message-ID: <20160927030621.20862-1-rafael.tinoco@canonical.com> (raw)
Commit: 35f9b6ef3acc9d0546c395a566b04e63ca84e302 added a fallback
mechanism for systems not supporting memfd_create syscall (started
being supported since 3.17).
Backporting memfd_create might not be accepted for distros relying
on older kernels. Nowadays there is no way for security driver
to discover memfd filename to be created: <tmpdir>/memfd-XXXXXX.
It is more appropriate to include UUID and/or VM names in the
temporary filename, allowing security driver rules to be applied
while maintaining the required unpredictability with mkstemp.
This change will allow libvirt to know exact memfd file to be created
for vhost log AND to create appropriate security rules to allow access
per instance (instead of a opened rule like <tmpdir>/memfd-*).
Example of apparmor deny messages with this change:
Per VM UUID (preferred, generated automatically by libvirt):
kernel: [26632.154856] type=1400 audit(1474945148.633:78): apparmor=
"DENIED" operation="mknod" profile="libvirt-0b96011f-0dc0-44a3-92c3-
196de2efab6d" name="/tmp/memfd-0b96011f-0dc0-44a3-92c3-196de2efab6d-
qeHrBV" pid=75161 comm="qemu-system-x86" requested_mask="c" denied_
mask="c" fsuid=107 ouid=107
Per VM name (if no UUID is specified):
kernel: [26447.505653] type=1400 audit(1474944963.985:72): apparmor=
"DENIED" operation="mknod" profile="libvirt-00000000-0000-0000-0000-
000000000000" name="/tmp/memfd-instance-teste-osYpHh" pid=74648
comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107
ouid=107
Signed-off-by: Rafael David Tinoco <rafael.tinoco@canonical.com>
---
util/memfd.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1a..4b715ac 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -30,6 +30,9 @@
#include <glib/gprintf.h>
#include "qemu/memfd.h"
+#include "qmp-commands.h"
+#include "qemu-common.h"
+#include "sysemu/sysemu.h"
#ifdef CONFIG_MEMFD
#include <sys/memfd.h>
@@ -94,11 +97,32 @@ void *qemu_memfd_alloc(const char *name, size_t size, unsigned int seals,
return NULL;
}
} else {
+ int ret = 0;
const char *tmpdir = g_get_tmp_dir();
+ UuidInfo *uinfo;
+ NameInfo *ninfo;
gchar *fname;
- fname = g_strdup_printf("%s/memfd-XXXXXX", tmpdir);
+ uinfo = qmp_query_uuid(NULL);
+
+ ret = strcmp(uinfo->UUID, UUID_NONE);
+ if (ret == 0) {
+ ninfo = qmp_query_name(NULL);
+ if (ninfo->has_name) {
+ fname = g_strdup_printf("%s/memfd-%s-XXXXXX", tmpdir,
+ ninfo->name);
+ } else {
+ fname = g_strdup_printf("%s/memfd-XXXXXX", tmpdir);
+ }
+ qapi_free_NameInfo(ninfo);
+ } else {
+ fname = g_strdup_printf("%s/memfd-%s-XXXXXX", tmpdir,
+ uinfo->UUID);
+ }
+
mfd = mkstemp(fname);
+
+ qapi_free_UuidInfo(uinfo);
unlink(fname);
g_free(fname);
--
2.9.3
next prev reply other threads:[~2016-09-27 3:06 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 11:03 [Qemu-devel] [Bug 1626972] [NEW] QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-09-23 11:04 ` [Qemu-devel] [Bug 1626972] " Rafael David Tinoco
2016-09-23 11:05 ` Rafael David Tinoco
2016-09-23 13:26 ` Rafael David Tinoco
2016-09-27 3:06 ` Rafael David Tinoco [this message]
2016-09-27 8:36 ` [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism Daniel P. Berrange
2016-09-27 11:01 ` Rafael David Tinoco
2016-09-27 11:13 ` Marc-André Lureau
2016-09-27 11:31 ` Rafael David Tinoco
2016-09-27 12:16 ` Daniel P. Berrange
2016-09-27 12:25 ` Marc-André Lureau
2016-10-03 17:38 ` Rafael David Tinoco
2016-09-27 12:18 ` [Qemu-devel] [Bug 1626972] " Daniel P. Berrange
2016-10-03 15:41 ` Rafael David Tinoco
2016-10-03 17:55 ` Daniel P. Berrange
2016-10-03 18:46 ` Rafael David Tinoco
2016-10-03 19:15 ` Rafael David Tinoco
2016-10-04 8:36 ` Daniel P. Berrange
2016-10-04 12:18 ` Rafael David Tinoco
2016-10-04 12:39 ` Marc-André Lureau
2016-10-04 12:42 ` Daniel P. Berrange
2016-10-04 13:10 ` Marc-André Lureau
2016-10-04 13:25 ` Daniel P. Berrange
[not found] ` <0BC69111-0BFC-444D-8BB4-D99F00D42401@canonical.com>
2016-10-04 13:34 ` Rafael David Tinoco
2016-10-04 13:50 ` Marc-André Lureau
2016-10-04 15:29 ` Rafael David Tinoco
2016-10-21 3:03 ` Rafael David Tinoco
2016-10-21 3:09 ` Rafael David Tinoco
2016-10-21 18:08 ` Marc-André Lureau
2016-10-04 13:46 ` Marc-André Lureau
2016-10-04 13:29 ` Rafael David Tinoco
2016-09-27 3:30 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-10-22 21:54 ` [Qemu-devel] [Bug 1626972] Fwd: [PATCH] vhost: secure vhost shared log files using argv paremeter Rafael David Tinoco
2016-10-22 21:55 ` Rafael David Tinoco
2016-11-18 10:04 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers Rafael David Tinoco
2016-11-18 10:06 ` Louis Bouchard
2016-11-18 10:07 ` Rafael David Tinoco
2016-11-18 10:21 ` Rafael David Tinoco
2016-11-18 11:14 ` ChristianEhrhardt
2016-11-18 11:31 ` Billy Olsen
2016-11-18 11:32 ` Rafael David Tinoco
2016-11-22 9:59 ` Rafael David Tinoco
2016-11-22 10:01 ` Rafael David Tinoco
2016-11-22 11:47 ` Rafael David Tinoco
2016-11-22 12:02 ` Rafael David Tinoco
2016-11-22 12:13 ` ChristianEhrhardt
2016-11-22 12:08 ` Rafael David Tinoco
2016-11-22 12:29 ` Rafael David Tinoco
2016-11-22 13:32 ` ChristianEhrhardt
2016-11-23 11:24 ` ChristianEhrhardt
2016-11-23 11:27 ` ChristianEhrhardt
2016-11-23 11:30 ` ChristianEhrhardt
2016-11-23 15:26 ` Launchpad Bug Tracker
2016-11-23 15:46 ` ChristianEhrhardt
2016-11-23 22:38 ` Martin Pitt
2016-11-24 8:35 ` Thomas Huth
2016-11-28 20:36 ` James Page
2016-12-01 14:56 ` James Page
2016-12-01 19:10 ` Brian Murray
2016-12-08 8:49 ` Antonio Messina
2016-12-08 9:29 ` James Page
2016-12-08 11:14 ` Rafael David Tinoco
2016-12-08 11:16 ` Rafael David Tinoco
2017-01-11 3:24 ` Rafael David Tinoco
2017-01-11 13:47 ` Rafael David Tinoco
2017-01-16 11:39 ` Thomas Huth
2017-01-19 16:03 ` Launchpad Bug Tracker
2017-01-19 16:04 ` [Qemu-devel] [Bug 1626972] Update Released Brian Murray
2017-01-23 19:27 ` [Qemu-devel] [Bug 1626972] Re: QEMU memfd_create fallback mechanism change for security drivers ChristianEhrhardt
2017-01-24 0:52 ` Rafael David Tinoco
2017-01-24 7:55 ` ChristianEhrhardt
2017-01-24 11:41 ` Rafael David Tinoco
2017-01-25 10:23 ` Launchpad Bug Tracker
2017-02-15 15:52 ` Rafael David Tinoco
2017-08-07 14:51 ` James Page
-- strict thread matches above, loose matches on Subject: below --
2016-09-27 3:19 [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism Rafael David Tinoco
2016-09-27 4:20 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160927030621.20862-1-rafael.tinoco@canonical.com \
--to=rafael.tinoco@canonical.com \
--cc=1626972@bugs.launchpad.net \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).