From: Fam Zheng <famz@redhat.com>
To: Andy Grover <agrover@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Pranith Kumar Karampuri <pkarampu@redhat.com>,
Vijay Bellur <vbellur@redhat.com>, Huamin Chen <hchen@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
Date: Fri, 21 Oct 2016 08:11:47 +0800 [thread overview]
Message-ID: <20161021001147.GB27213@lemon> (raw)
In-Reply-To: <16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com>
On Thu, 10/20 10:21, Andy Grover wrote:
> On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > root or kernel privileges?
> >
> > I haven't audited the code, but target_core_user.ko should contain the access to
> > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > wrong.
>
> Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> outside the shared memory area.
Thanks!
>
> UIO devices are basically a "device drivers in userspace" kind of API so
> they require root to use. I seem to remember somebody mentioning ways this
> might work for less-privileged handlers (fd-passing??) but no way to do this
> exists just yet.
In my example in the cover letter I use chmod + non-root which seems to be
working properly. So I think fd-passing is a promising mechanism.
Fam
>
> Regards -- Andy
>
next prev parent reply other threads:[~2016-10-21 0:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 10:08 [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu Fam Zheng
2016-10-19 10:38 ` no-reply
2016-10-20 14:08 ` Stefan Hajnoczi
2016-10-20 14:30 ` Fam Zheng
2016-10-20 17:21 ` Andy Grover
2016-10-21 0:11 ` Fam Zheng [this message]
2016-10-21 9:54 ` Stefan Hajnoczi
2016-10-21 10:33 ` Fam Zheng
[not found] ` <CAD-gW=mZ6ByJAfzvAQs2c=N8MLEbG48UsaqhZiUJhEvWPDF3Lw@mail.gmail.com>
2016-10-21 0:09 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021001147.GB27213@lemon \
--to=famz@redhat.com \
--cc=agrover@redhat.com \
--cc=hchen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pkarampu@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).