Re: [Qemu-devel] Live migration - exec: support to be reintroduced?

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Live migration - exec: support to be reintroduced?
Date: Wed, 05 Nov 2008 11:30:21 -0600	[thread overview]
Message-ID: <4911D82D.20900@codemonkey.ws> (raw)
In-Reply-To: <20081105172305.GR25523@redhat.com>

Daniel P. Berrange wrote:
> On Wed, Nov 05, 2008 at 09:19:02AM -0600, Anthony Liguori wrote:
>   
>> Daniel P. Berrange wrote:
>>     
>>> It is useful from a security point of view - it means QEMU doesn't
>>> need to be given permissions to create files, merely append to an
>>> opened file handle.
>>>
>>> On a related note, Avi pointed out to me that SCM_RIGHTS fd passing
>>> would be important for NIC hotplug to allow parity with -net arg
>>> on the command line. If the QEMU process is running unprivileged,
>>> it will not have rights to create TAP devices & giving it a setuid()
>>> network script is not desirable. The management app invoking QEMU
>>> could open the TAP device, and do any setup before passing the FD
>>> to the NIC hotplug command in the monitor. 
>>>  
>>>       
>> Yup.  If libvirt has a use case for it, then I'm more than happy to 
>> review patches.
>>
>> I'm always looking for an excuse to use SCM_RIGHTS :-)
>>
>> I think the monitor interface could use improvement.  I think it would 
>> look better as:
>>
>> (qemu) receivefd /path/to/unix/socket
>> /* waits until it receives an fd on /path/to/unix/socket */
>> fd=10
>> (qemu) closefd 10
>>
>> Then all of the existing uses of fd= can be preserved.
>>
>> I like the idea of using a temporary socket because you don't have to 
>> rely on the monitor being on a unix socket.  This will be especially 
>> useful when we can support tunneling the monitor through VNC.
>>     
>
> Yes, except that I would wouldn't want to pass "/path/to/unix/socket"
> via the monitor - that allows any process which can access that path
> to potentially open the socket & intercept the credentials. 
>   

I don't really see this as a problem.

> If I wasn't using a UNIX socket for the monitor already, then I'd
> want to be able to pass a FD to a unix socket on the command line
> so I know who's on the other end of it. 
> eg, if i was using a hypothetical VNC server transport for the 
> monitor, then perhaps allow
>
>     --monitor vnc,scmrightsfd=7
>
> Or, an explicit --scmrights arg for it
>   

Yeah, the later sounds more reasonable, but I don't really know that I 
agree that the only safe thing to do is here pass an fd on exec.  Please 
describe an attack scenario where a user could access 
/path/to/unix/socket that isn't trusted?

Regards,

Anthony Liguori

> Daniel
>

next prev parent reply	other threads:[~2008-11-05 17:30 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-11-05  0:40 [Qemu-devel] Live migration - exec: support to be reintroduced? Charles Duffy
2008-11-05  5:38 ` Anthony Liguori
2008-11-05  7:54   ` Chris Lalancette
2008-11-05 14:09     ` Anthony Liguori
2008-11-05 14:19       ` Daniel P. Berrange
2008-11-05 14:52         ` Jamie Lokier
2008-11-05 15:12         ` Anthony Liguori
2008-11-05 18:10           ` [Qemu-devel] " Charles Duffy
2008-11-05 18:55           ` Charles Duffy
2008-11-05 19:10             ` Anthony Liguori
2008-11-05 10:05   ` [Qemu-devel] " Daniel P. Berrange
2008-11-05 13:03     ` Avi Kivity
2008-11-05 14:14       ` Anthony Liguori
2008-11-05 14:37         ` Daniel P. Berrange
2008-11-05 15:19           ` Anthony Liguori
2008-11-05 17:23             ` Daniel P. Berrange
2008-11-05 17:30               ` Anthony Liguori [this message]
2008-11-05 18:13             ` Avi Kivity
2008-11-05 18:10         ` Avi Kivity
2008-11-07  1:54   ` [Qemu-devel] [PATCH] " Charles Duffy
2008-11-07 18:49     ` [Qemu-devel] Re: [PATCH] Re: Live migration - exec: support to be reintroduced? (r2) Charles Duffy
2008-11-11 16:41       ` Charles Duffy
2008-11-11 16:46       ` Anthony Liguori

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4911D82D.20900@codemonkey.ws \
    --to=anthony@codemonkey.ws \
    --cc=berrange@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).