From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47775)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1bxNRD-0003gq-6L
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 20:11:56 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1bxNR8-0004mF-FF
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 20:11:55 -0400
Received: from mx1.redhat.com ([209.132.183.28]:52416)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <famz@redhat.com>) id 1bxNR8-0004lw-9q
	for qemu-devel@nongnu.org; Thu, 20 Oct 2016 20:11:50 -0400
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A781A43A3E
	for <qemu-devel@nongnu.org>; Fri, 21 Oct 2016 00:11:49 +0000 (UTC)
Date: Fri, 21 Oct 2016 08:11:47 +0800
From: Fam Zheng <famz@redhat.com>
Message-ID: <20161021001147.GB27213@lemon>
References: <1476871708-25096-1-git-send-email-famz@redhat.com>
	<20161020140827.GA2733@stefanha-x1.localdomain>
	<20161020143059.GA21349@lemon>
	<16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <16c8a152-0d2c-2ee0-e33f-35147549788b@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Andy Grover <agrover@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>, qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>, Pranith Kumar Karampuri <pkarampu@redhat.com>, Vijay Bellur <vbellur@redhat.com>, Huamin Chen <hchen@redhat.com>

On Thu, 10/20 10:21, Andy Grover wrote:
> On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > root or kernel privileges?
> > 
> > I haven't audited the code, but target_core_user.ko should contain the access to
> > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > wrong.
> 
> Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> outside the shared memory area.

Thanks!

> 
> UIO devices are basically a "device drivers in userspace" kind of API so
> they require root to use. I seem to remember somebody mentioning ways this
> might work for less-privileged handlers (fd-passing??) but no way to do this
> exists just yet.

In my example in the cover letter I use chmod + non-root which seems to be
working properly. So I think fd-passing is a promising mechanism.

Fam

> 
> Regards -- Andy
>