From: Fam Zheng <famz@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Vijay Bellur <vbellur@redhat.com>,
Pranith Kumar Karampuri <pkarampu@redhat.com>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Andy Grover <agrover@redhat.com>, Huamin Chen <hchen@redhat.com>
Subject: Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
Date: Fri, 21 Oct 2016 18:33:35 +0800 [thread overview]
Message-ID: <20161021103335.GD27213@lemon> (raw)
In-Reply-To: <20161021095437.GC4648@stefanha-x1.localdomain>
On Fri, 10/21 10:54, Stefan Hajnoczi wrote:
> On Fri, Oct 21, 2016 at 08:11:47AM +0800, Fam Zheng wrote:
> > On Thu, 10/20 10:21, Andy Grover wrote:
> > > On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > > > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > > > root or kernel privileges?
> > > >
> > > > I haven't audited the code, but target_core_user.ko should contain the access to
> > > > /dev/uioX and make sure there is no security risk regarding buggy or malicious
> > > > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if I'm
> > > > wrong.
> > >
> > > Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> > > outside the shared memory area.
> >
> > Thanks!
> >
> > >
> > > UIO devices are basically a "device drivers in userspace" kind of API so
> > > they require root to use. I seem to remember somebody mentioning ways this
> > > might work for less-privileged handlers (fd-passing??) but no way to do this
> > > exists just yet.
> >
> > In my example in the cover letter I use chmod + non-root which seems to be
> > working properly. So I think fd-passing is a promising mechanism.
>
> Is there any way to use the in-kernel SCSI target without root?
>
> For example, if an unprivileged user wants to run an iSCSI target on an
> unprivileged port to serve up a regular file (test.img).
No, not possible even on an unprivileged port AFAICT. Accessing targetcli
requires root.
>
> If the answer is no then it's unlikely qemu-tcmu can ever be used
> without root anyway...
So you are right.. One possibility is we can implement some helper
functionalities in a daemon (such as tcmu-runner, or a new one), to which an
unprivileged qemu-tcmu then communicates this "export this LUN at XXX"
requests with a DBus call, similar to how libtcmu registers the new handler on
behalf of the program.
Fam
next prev parent reply other threads:[~2016-10-21 10:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-19 10:08 [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu Fam Zheng
2016-10-19 10:38 ` no-reply
2016-10-20 14:08 ` Stefan Hajnoczi
2016-10-20 14:30 ` Fam Zheng
2016-10-20 17:21 ` Andy Grover
2016-10-21 0:11 ` Fam Zheng
2016-10-21 9:54 ` Stefan Hajnoczi
2016-10-21 10:33 ` Fam Zheng [this message]
[not found] ` <CAD-gW=mZ6ByJAfzvAQs2c=N8MLEbG48UsaqhZiUJhEvWPDF3Lw@mail.gmail.com>
2016-10-21 0:09 ` Fam Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021103335.GD27213@lemon \
--to=famz@redhat.com \
--cc=agrover@redhat.com \
--cc=hchen@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pkarampu@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vbellur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).