From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: "M. Mohan Kumar" <mohan@in.ibm.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Re: [V8 PATCH 11/11] virtio-9p: Chroot environment for other functions
Date: Fri, 11 Mar 2011 07:23:23 -0800 [thread overview]
Message-ID: <4D7A3E6B.6070106@linux.vnet.ibm.com> (raw)
In-Reply-To: <AANLkTikor+K4Wp1q9cAvZbntzx3vPXe+L9v+VZSMb5sa@mail.gmail.com>
On 3/10/2011 10:30 PM, Stefan Hajnoczi wrote:
> On Fri, Mar 11, 2011 at 5:54 AM, Venkateswararao Jujjuri (JV)
> <jvrao@linux.vnet.ibm.com> wrote:
>> On 3/10/2011 4:29 AM, Stefan Hajnoczi wrote:
>>> On Wed, Mar 9, 2011 at 5:16 PM, M. Mohan Kumar <mohan@in.ibm.com> wrote:
>>>> Add chroot functionality for systemcalls that can operate on a file
>>>> using relative directory file descriptor.
>>>
>>> I suspect the relative directory approach is broken and escapes the
>>> chroot. Here's why:
>>>
>>> The request is local_chmod(fs_ctx, "/..", credp). dirname("/..") is
>>> "/" and basename("..") is "..".
>>
>> We should never receive protocol operations with relative path.
>> Client should always resolve to full path and send the request.
>> If the client is malicious this scenario can be be possible.. but in that case
>> it is fine to fail the operation.
>
> What I haven't audited yet is whether symlinks can be abused in any of
> these *at(2) operations.
Reading symlink sends only contents to the client. So a symlink can contain
anything.
But when the fully populated path comes we avoid the potential symlink issue by
opening
the entire dir in chrooted process.
>
> The *at(2) approach seems like a shortcut to avoid implementing
> individual chroot protocol requests/responses for stat(2) and friends.
> But it carries the risk that if we don't use NOFOLLOW then we can be
> tricked into escaping the "chroot" because we're performing the
> operation outside the chroot.
I would agree with your observation. With *at(2) we need the following:
1. The path should never have ".." May be we can check it early enough and fail.
2. Get the pfd from the chroot_thread
3. use NO_FOLLOW.
If we do all three then we are fool prof.
>
> I'll take a look later today to make sure all operations safe traverse
> paths outside the chroot.
If we move all the operations to chroot, we are essentially serializing all
operations.
But the code looks lot cleaner though.
- JV
>
> Stefan
>
prev parent reply other threads:[~2011-03-11 15:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-09 17:15 [Qemu-devel] [V8 PATCH 00/11] virtio-9p: Use chroot to safely access files in passthrough security model M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 01/11] Implement qemu_read_full M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 02/11] virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 03/11] virtio-9p: Provide chroot worker side interfaces M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 04/11] virtio-9p: Add qemu side interfaces for chroot environment M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 05/11] virtio-9p: Add support to open a file in " M. Mohan Kumar
2011-03-10 11:09 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 06/11] virtio-9p: Create support " M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 07/11] virtio-9p: Support for creating special files M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 08/11] virtio-9p: Add support for removing file or directory M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 09/11] virtio-9p: Add support to rename M. Mohan Kumar
2011-03-09 17:15 ` [Qemu-devel] [V8 PATCH 10/11] virtio-9p: Move file post creation changes to none security model M. Mohan Kumar
2011-03-09 17:16 ` [Qemu-devel] [V8 PATCH 11/11] virtio-9p: Chroot environment for other functions M. Mohan Kumar
2011-03-10 12:29 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-11 5:54 ` Venkateswararao Jujjuri (JV)
2011-03-11 6:30 ` Stefan Hajnoczi
2011-03-11 15:23 ` Venkateswararao Jujjuri (JV) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D7A3E6B.6070106@linux.vnet.ibm.com \
--to=jvrao@linux.vnet.ibm.com \
--cc=mohan@in.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).