From: Elena Ufimtseva <elena.ufimtseva@oracle.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: John G Johnson <john.g.johnson@oracle.com>,
sstabellini@kernel.org, Jag Raman <jag.raman@oracle.com>,
konrad.wilk@oracle.com, Stefan Hajnoczi <stefanha@gmail.com>,
qemu-devel@nongnu.org, ross.lagerwall@citrix.com,
liran.alon@oracle.com, Stefan Hajnoczi <stefanha@redhat.com>,
kanth.ghatraju@oracle.com
Subject: Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Date: Tue, 7 May 2019 14:00:59 -0700 [thread overview]
Message-ID: <20190507210059.GA26233@heatpipe> (raw)
In-Reply-To: <20190311102006.GK12393@redhat.com>
On Mon, Mar 11, 2019 at 10:20:06AM +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 07, 2019 at 03:29:41PM -0800, John G Johnson wrote:
> >
> >
Hi Daniel, Stefan
We have not replied in a while as we were trying to figure out
the best approach after multiple comments we have received on the
patch series.
Leaving other concerns that you, Stefan and others shared with us
out of this particular topic, we would like to get your opinion on
the following approach.
Please see below.
> > > On Mar 7, 2019, at 11:27 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > >
> > > On Thu, Mar 07, 2019 at 02:51:20PM +0000, Daniel P. Berrangé wrote:
> > >> I guess one obvious answer is that the existing security mechanisms like
> > >> SELinux/ApArmor/DAC can be made to work in a more fine grained manner if
> > >> there are distinct processes. This would allow for a more useful seccomp
> > >> filter to better protect against secondary kernel exploits should QEMU
> > >> itself be exploited, if we can protect individual components.
> > >
> > > Fine-grained sandboxing is possible in theory but tedious in practice.
> > > From what I can tell this patch series doesn't implement any sandboxing
> > > for child processes.
> > >
> >
> > The policies aren’t in QEMU, but in the selinux config files.
> > They would say, for example, that when the QEMU process exec()s the
> > disk emulation process, the process security context type transitions
> > to a new type. This type would have permission to access the VM image
> > objects, whereas the QEMU process type (and any other device emulation
> > process types) cannot access them.
>
> Note that currently all QEMU instances run by libvirt have seccomp
> policy applied that explicitly forbids any use of fork+exec as a way
> to reduce avenues of attack for an exploited QEMU.
>
> Even in a modularized QEMU I'd be loathe to allow QEMU to have the
> fork+exec privileged, unless "QEMU" in this case was just a stub
> process that does nothing more than fork+exec the other binaries,
> while having zero attack exposed to the untrusted guest OS.
We see libvirt uses QEMU’s -sandbox option to indicate that QEMU
should use seccomp() to prohibit future use of certain system calls,
including fork() and exec(). Our idea is to enumerate the remote
processes needed via QEMU command line options, and have QEMU exec()
those processes before -sandbox is processed.
And we also will init seccomp for emulated devices processes.
>
> > If you wanted to use DAC, you could do the something similar by
> > making the disk emulation executable setuid to a UID than can access
> > VM image files.
> >
> > In either case, the policies and permissions are set up before
> > libvirt even runs, so it doesn’t need to be aware of them.
>
> That's not the case bearing in mind the above point about fork+exec
> being forbidden. It would likely require libvirt to be in charge of
> spawning the various helper binaries from a trusted context.
>
>
> > > How to do this in practice must be clear from the beginning if
> > > fine-grained sandboxing is the main selling point.
> > >
> > > Some details to start the discussion:
> > >
> > > * How will fine-grained SELinux/AppArmor/DAC policies be configured for
> > > each process? I guess this requires root, so does libvirt need to
> > > know about each process?
> > >
> >
> > The polices would apply to process security context types (or
> > UIDs in a DAC regime), so I would not expect libvirt to be aware of them.
>
> I'm pretty skeptical that such a large modularization of QEMU can be
> done without libvirt being aware of it & needing some kind of changes
> applied.
>
We agree with that. With above proposed approach we still have to change hotplug
in some way.
If a eparate process will be spawned, libvirt will be the one doing
fork/exec of the separate processes. Or possibly launch a helper
binaries that will unify the way how an instance is being started with
multiple processes and hotplugging.
Thanks!
Elena, Jag, John.
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-05-07 21:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-07 7:22 [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess elena.ufimtseva
2019-03-07 8:14 ` Thomas Huth
2019-03-07 14:16 ` Kevin Wolf
2019-03-07 14:21 ` Thomas Huth
2019-03-07 14:40 ` Konrad Rzeszutek Wilk
2019-03-07 14:53 ` Thomas Huth
2019-03-08 18:22 ` Elena Ufimtseva
2019-03-07 14:26 ` Stefan Hajnoczi
2019-03-07 14:51 ` Daniel P. Berrangé
2019-03-07 16:05 ` Michael S. Tsirkin
2019-03-07 16:19 ` Daniel P. Berrangé
2019-03-07 16:46 ` Michael S. Tsirkin
2019-03-07 16:49 ` Daniel P. Berrangé
2019-03-07 19:27 ` Stefan Hajnoczi
2019-03-07 23:29 ` John G Johnson
2019-03-08 9:50 ` Stefan Hajnoczi
[not found] ` <20190326080822.GC21018@stefanha-x1.localdomain>
[not found] ` <e5395abf-6b41-46c8-f5af-3210077dfdd5@oracle.com>
[not found] ` <CAAdtpL4ztcpf-CTx0fc5T_+VQ+8upHa2pEMoiZPcmBXOO6L3Og@mail.gmail.com>
2019-04-23 21:26 ` Jag Raman
2019-04-23 21:26 ` Jag Raman
2019-04-25 15:44 ` Stefan Hajnoczi
2019-04-25 15:44 ` Stefan Hajnoczi
2019-05-07 19:00 ` Jag Raman
2019-05-23 10:40 ` Stefan Hajnoczi
2019-06-11 15:53 ` Jag Raman
2019-05-23 11:11 ` Stefan Hajnoczi
2019-05-28 15:18 ` Elena Ufimtseva
2019-05-30 20:54 ` Elena Ufimtseva
2019-06-11 15:59 ` Jag Raman
2019-06-12 16:24 ` Stefan Hajnoczi
2019-06-12 17:01 ` Elena Ufimtseva
2019-03-11 10:20 ` Daniel P. Berrangé
2019-05-07 21:00 ` Elena Ufimtseva [this message]
2019-05-23 11:22 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507210059.GA26233@heatpipe \
--to=elena.ufimtseva@oracle.com \
--cc=berrange@redhat.com \
--cc=jag.raman@oracle.com \
--cc=john.g.johnson@oracle.com \
--cc=kanth.ghatraju@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=liran.alon@oracle.com \
--cc=qemu-devel@nongnu.org \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).