From: Stefan Hajnoczi <stefanha@redhat.com>
To: Fam Zheng <famz@redhat.com>
Cc: Andy Grover <agrover@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Pranith Kumar Karampuri <pkarampu@redhat.com>,
Vijay Bellur <vbellur@redhat.com>, Huamin Chen <hchen@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
Date: Fri, 21 Oct 2016 10:54:37 +0100 [thread overview]
Message-ID: <20161021095437.GC4648@stefanha-x1.localdomain> (raw)
In-Reply-To: <20161021001147.GB27213@lemon>
[-- Attachment #1: Type: text/plain, Size: 1543 bytes --]
On Fri, Oct 21, 2016 at 08:11:47AM +0800, Fam Zheng wrote:
> On Thu, 10/20 10:21, Andy Grover wrote:
> > On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > > root or kernel privileges?
> > >
> > > I haven't audited the code, but target_core_user.ko should contain the access to
> > > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > > wrong.
> >
> > Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> > outside the shared memory area.
>
> Thanks!
>
> >
> > UIO devices are basically a "device drivers in userspace" kind of API so
> > they require root to use. I seem to remember somebody mentioning ways this
> > might work for less-privileged handlers (fd-passing??) but no way to do this
> > exists just yet.
>
> In my example in the cover letter I use chmod + non-root which seems to be
> working properly. So I think fd-passing is a promising mechanism.
Is there any way to use the in-kernel SCSI target without root?
For example, if an unprivileged user wants to run an iSCSI target on an
unprivileged port to serve up a regular file (test.img).
If the answer is no then it's unlikely qemu-tcmu can ever be used
without root anyway...
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-10-21 9:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 10:08 [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu Fam Zheng
2016-10-19 10:38 ` no-reply
2016-10-20 14:08 ` Stefan Hajnoczi
2016-10-20 14:30 ` Fam Zheng
2016-10-20 17:21 ` Andy Grover
2016-10-21 0:11 ` Fam Zheng
2016-10-21 9:54 ` Stefan Hajnoczi [this message]
2016-10-21 10:33 ` Fam Zheng
[not found] ` <CAD-gW=mZ6ByJAfzvAQs2c=N8MLEbG48UsaqhZiUJhEvWPDF3Lw@mail.gmail.com>
2016-10-21 0:09 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021095437.GC4648@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=agrover@redhat.com \
--cc=famz@redhat.com \
--cc=hchen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pkarampu@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).