From: Eric Blake <eblake@redhat.com>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>,
"libvir-list@redhat.com" <libvir-list@redhat.com>,
Jes Sorensen <Jes.Sorensen@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@gmail.com>
Subject: Re: [Qemu-devel] live snapshot wiki updated
Date: Wed, 20 Jul 2011 12:17:54 -0600 [thread overview]
Message-ID: <4E271BD2.7040805@redhat.com> (raw)
In-Reply-To: <CAAu8pHt1nTWXXEqtgYs3xP4A5O9U8_rF75VZ=5hPHvsn_yL7ug@mail.gmail.com>
On 07/20/2011 12:00 PM, Blue Swirl wrote:
>>> Let's have files A, B, C etc. with backing files AA etc. How would
>>> libvirt know that when QEMU wants to write to file CA, this is because
>>> it's needed to access C, or is it just trickery by a devious guest to
>>> corrupt storage?
>>
>> The fix for CVE-2010-2238 already deals with this: if primary image C refers
>> to backing file CA of raw format, but does not state what file format CA
>> contains, then a malicious guest can modify the contents of CA to appear to
>> be yet another qcow2 image. At which point, if libvirt follows the backing
>> file specified in CA, then yes, the malicious guest really can cause libvirt
>> to expose arbitrary file CB for manipulation by the guest. But that
>> security hole was already plugged - by default, libvirt refuses to probe
>> backing files parsed from qcow2 headers for file format, but instead
>> requires the outer qcow2 header to also include the a file format
>> designation for the backing file. At which point, you then have a safe
>> chain: if C refers to CA, then libvirt knows that both C and CA are
>> essential to the storage presented by giving qemu the file name C, and the
>> guest will already be modifying CA, but there is no storage corruption
>> involved.
>
> But what if CA is accessed even if C is not? For example, QEMU opens C
> (to determine CA and write new information about the path), closes it
> and then requests CA?
Why is qemu trying to access CA?
Either because CA was mentioned as a backing file for C (in which case
libvirt already knows about it, because either libvirt handed C to qemu
at startup time after already parsing C's headers to learn that CA is a
backing file, or because libvirt called the snapshot_blkdev command with
the intent of having qemu populate CA with C as its backing file), or
because qemu has a bug (in which case, libvirt should refuse the access
to CA).
Libvirt is already perfectly capable of tracking all files that qemu
might need to access, and whether it is qemu or libvirt that does the
open() of those files, we can still have libvirt validate whether each
request for a file makes sense given the context of all previous files
in use from the time the qemu command line was invoked and across all
monitor commands in the meantime.
On non-NFS solutions, where every file can have a SELinux label, then
the security is then present by merely having libvirt relabel all such
files to a unique label for that particular qemu process, and SELinux
merely enforces that qemu cannot open() anything but what libvirt has
already labeled. And since libvirt already knows which files to label
in the non-NFS scenario, it already knows which fds to pass in the NFS
scenario, at which point the ability to prevent qemu from open()ing an
NFS file is a security enhancement.
Your question about qemu wanting to use CA is thus answered
independently of whether the fd management solution is solved by libvirt
handing an fd for CA to qemu prior to any monitor command where qemu
will then need to use CA, or whether qemu is taught to asynchronously
ask libvirt to open an fd for CA on qemu's behalf. The answer is that
libvirt already tracks whether qemu should access CA, and just needs a
way to enforce that knowledge. The enforcement already exists for
non-NFS via SELinux labels, and the proposal to add fd handling will
expand that enforcement to also cover NFS.
--
Eric Blake eblake@redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
next prev parent reply other threads:[~2011-07-20 18:42 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-15 14:58 [Qemu-devel] live snapshot wiki updated Jes Sorensen
2011-07-18 14:08 ` Stefan Hajnoczi
2011-07-19 7:24 ` Jes Sorensen
2011-07-19 13:23 ` Stefan Hajnoczi
2011-07-19 13:27 ` Jes Sorensen
2011-07-19 13:58 ` Eric Blake
2011-07-19 14:09 ` Jes Sorensen
2011-07-19 14:24 ` Eric Blake
2011-07-19 14:30 ` Jes Sorensen
2011-07-19 15:14 ` Stefan Hajnoczi
2011-07-19 16:46 ` Daniel P. Berrange
2011-07-20 7:30 ` Markus Armbruster
2011-07-20 8:23 ` Jes Sorensen
2011-07-20 9:36 ` Daniel P. Berrange
2011-07-20 10:15 ` [Qemu-devel] [libvirt] " Nicolas Sebrecht
2011-07-20 10:28 ` Daniel P. Berrange
2011-07-20 11:40 ` [Qemu-devel] [libvirt] " Stefan Hajnoczi
[not found] ` <4E27E610.7090502@redhat.com>
[not found] ` <4E282DE6.1020603@redhat.com>
[not found] ` <4E283554.4080903@redhat.com>
2011-07-21 14:51 ` Eric Blake
[not found] ` <4E27E5A2.2030208@redhat.com>
[not found] ` <4E28317D.9020502@redhat.com>
2011-07-21 15:01 ` [Qemu-devel] " Stefan Hajnoczi
2011-07-21 19:42 ` Blue Swirl
2011-07-22 5:06 ` Stefan Hajnoczi
2011-07-22 15:49 ` Blue Swirl
2011-07-22 7:22 ` Kevin Wolf
2011-07-22 9:11 ` Stefan Hajnoczi
2011-07-22 16:05 ` Blue Swirl
2011-07-20 9:50 ` Kevin Wolf
2011-07-20 10:18 ` Daniel P. Berrange
2011-07-19 16:14 ` Anthony Liguori
2011-07-20 8:25 ` Jes Sorensen
2011-07-20 10:01 ` Kevin Wolf
2011-07-20 13:25 ` Jes Sorensen
2011-07-20 13:46 ` Eric Blake
2011-07-20 17:27 ` Blue Swirl
2011-07-20 17:47 ` Eric Blake
2011-07-20 19:51 ` Blue Swirl
[not found] ` <4E27DE5D.5050502@redhat.com>
2011-07-21 19:34 ` Blue Swirl
2011-07-20 13:51 ` Kevin Wolf
2011-07-20 17:20 ` Blue Swirl
2011-07-20 17:41 ` Eric Blake
2011-07-20 18:00 ` Blue Swirl
2011-07-20 18:17 ` Eric Blake [this message]
2011-07-20 20:01 ` Blue Swirl
2011-07-20 20:10 ` Eric Blake
[not found] ` <4E27E280.2060306@redhat.com>
2011-07-21 19:01 ` Blue Swirl
2011-07-22 7:36 ` Avi Kivity
2011-07-22 8:11 ` Kevin Wolf
2011-07-22 16:09 ` Blue Swirl
2011-07-20 13:50 ` Cleber Rosa
2011-07-20 14:34 ` Anthony Liguori
2011-07-20 18:34 ` Cleber Rosa
2011-07-19 16:47 ` Daniel P. Berrange
2011-07-20 8:26 ` Jes Sorensen
2011-07-20 9:38 ` Daniel P. Berrange
2011-07-20 14:35 ` Anthony Liguori
2011-07-21 18:56 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E271BD2.7040805@redhat.com \
--to=eblake@redhat.com \
--cc=Jes.Sorensen@redhat.com \
--cc=blauwirbel@gmail.com \
--cc=kwolf@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).