From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=33394 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OHUhH-0007ZA-Ut for qemu-devel@nongnu.org; Thu, 27 May 2010 00:28:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OHUhG-0003OA-DB for qemu-devel@nongnu.org; Thu, 27 May 2010 00:27:55 -0400 Received: from 207-172-69-77.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com ([207.172.69.77]:36927 helo=thaum.luto.us) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OHUhG-0003O3-As for qemu-devel@nongnu.org; Thu, 27 May 2010 00:27:54 -0400 Message-ID: <4BFDEC86.1080904@mit.edu> Date: Wed, 26 May 2010 23:52:38 -0400 From: Andy Lutomirski MIME-Version: 1.0 References: <1274916106-25616-1-git-send-email-jvrao@linux.vnet.ibm.com> In-Reply-To: <1274916106-25616-1-git-send-email-jvrao@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] Re: [PATCH-V4 0/7] virtio-9p:Introducing security model for VirtFS List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Venkateswararao Jujjuri (JV)" Cc: aliguori@us.ibm.com, qemu-devel@nongnu.org Venkateswararao Jujjuri (JV) wrote: > This patch series introduces the security model for VirtFS. > > Brief description of this patch series: > > It introduces two type of security models for VirtFS. > They are: mapped and passthrough. > > The following is common to both security models. > > * Client's VFS determines/enforces the access control. > Largely server should never return EACCESS. > > * Client sends gid/mode-bit information as part of creation only. > > Changes from V3 > --------------- > o Return NULL instead of exit(1) on failure in virtio_9p_init() > o Capitalized sm_passthrough, sm_mappe > o Added handling for EINTR for read/write. > o Corrected default permissions for mkdir in mapped mode. > o Added additional error handling. > > Changes from V2 > --------------- > o Removed warnings resulting from chmod/chown. > o Added code to fail normally if secuirty_model option is not specified. > > Changes from V1 > --------------- > o Added support for chmod and chown. > o Used chmod/chown to set credentials instead of setuid/setgid. > o Fixed a bug where uid used instated of uid. > > > Security model: mapped > ---------------------- > > VirtFS server(QEMU) intercepts and maps all the file object create requests. > Files on the fileserver will be created with QEMU's user credentials and the > client-user's credentials are stored in extended attributes. > During getattr() server extracts the client-user's credentials from extended > attributes and sends to the client. > > Given that only the user space extended attributes are available to regular > files, special files are created as regular files on the fileserver and the > appropriate mode bits are stored in xattrs and will be extracted during > getattr. > > If the extended attributes are missing, server sends back the filesystem > stat() unaltered. This provision will make the files created on the > fileserver usable to client. > > Points to be considered > > * Filesystem will be VirtFS'ized. Meaning, other filesystems may not > understand the credentials of the files created under this model. How hard would it be to make this compatible with rsync's --fake-super? (--fake-super already does almost what you're doing, and if you make the formats compatible, then rsync could be used to translate. OTOH, rsyncing a VirtFS-ified filesystem to a remote --fake-super system might have odd side-effects.) --Andy