From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:54830)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1RQHvo-00029p-7I
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 07:16:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1RQHph-00019H-2D
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 07:09:46 -0500
Received: from e23smtp03.au.ibm.com ([202.81.31.145]:50029)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mohan@in.ibm.com>) id 1RQHpg-00019D-D0
	for qemu-devel@nongnu.org; Tue, 15 Nov 2011 07:09:44 -0500
Received: from /spool/local
	by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <mohan@in.ibm.com>;
	Tue, 15 Nov 2011 12:04:41 +1000
Received: from d23av03.au.ibm.com (d23av03.au.ibm.com [9.190.234.97])
	by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	pAFC6Kcp225408
	for <qemu-devel@nongnu.org>; Tue, 15 Nov 2011 23:06:22 +1100
Received: from d23av03.au.ibm.com (loopback [127.0.0.1])
	by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	pAFC9Qmr001897
	for <qemu-devel@nongnu.org>; Tue, 15 Nov 2011 23:09:26 +1100
Message-ID: <4EC25677.4080600@in.ibm.com>
Date: Tue, 15 Nov 2011 17:39:27 +0530
From: "M. Mohan Kumar" <mohan@in.ibm.com>
MIME-Version: 1.0
References: <1321358265-10924-1-git-send-email-mohan@in.ibm.com>
In-Reply-To: <1321358265-10924-1-git-send-email-mohan@in.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH V2 00/12] Proxy FS driver for VirtFS
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org, aneesh.kumar@linux.vnet.ibm.com, stefanha@gmail.com, berrange@redhat.com

Changes from previous version:

1) Communication between qemu and helper process is similar to 9p way of 
packing
elements (pdu marshaling).

M. Mohan Kumar wrote:
> Pass-through security model in QEMU 9p server needs root privilege to do
> few file operations (like chown, chmod to any mode/uid:gid).  There are two
> issues in pass-through security model
>
> 1) TOCTTOU vulnerability: Following symbolic links in the server could
> provide access to files beyond 9p export path.
>
> 2) Running QEMU with root privilege could be a security issue.
>
> To overcome above issues, following approach is used: A new filesytem
> type 'proxy' is introduced. Proxy FS uses chroot + socket combination
> for securing the vulnerability known with following symbolic links.
> Intention of adding a new filesystem type is to allow qemu to run
> in non-root mode, but doing privileged operations using socket IO.
>
> Proxy helper(a stand alone binary part of qemu) is invoked with
> root privileges. Proxy helper chroots into 9p export path and creates
> a socket pair or a named socket based on the command line parameter.
> Qemu and proxy helper communicate using this socket. QEMU proxy fs
> driver sends filesystem request to proxy helper and receives the
> response from it.
>
> Proxy helper is designed so that it can drop the root privilege but
> retaining capbilities that are needed for doing filesystem operations
> (like CAP_DAC_OVERRIDE, CAP_FOWNER etc)
>
> M. Mohan Kumar (12):
>    hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file
>    hw/9pfs: Add new proxy filesystem driver
>    hw/9pfs: File system helper process for qemu 9p proxy FS
>    hw/9pfs: Open and create files
>    hw/9pfs: Create other filesystem objects
>    hw/9pfs: Add stat/readlink/statfs for proxy FS
>    hw/9pfs: File ownership and others
>    hw/9pfs: xattr interfaces in proxy filesystem driver
>    hw/9pfs: Proxy getversion
>    hw/9pfs: Documentation changes related to proxy fs
>    hw/9pfs: man page for proxy helper
>    hw/9pfs: Add support to use named socket for proxy FS
>
>   Makefile                       |   15 +-
>   Makefile.objs                  |    4 +-
>   configure                      |   19 +
>   fsdev/file-op-9p.h             |    3 +-
>   fsdev/qemu-fsdev.c             |    1 +
>   fsdev/qemu-fsdev.h             |    1 +
>   fsdev/virtfs-proxy-helper.c    |  947 +++++++++++++++++++++++++++++++++
>   fsdev/virtfs-proxy-helper.texi |   63 +++
>   fsdev/virtio-9p-marshal.c      |  338 ++++++++++++
>   fsdev/virtio-9p-marshal.h      |   87 +++
>   hw/9pfs/virtio-9p-proxy.c      | 1123 ++++++++++++++++++++++++++++++++++++++++
>   hw/9pfs/virtio-9p-proxy.h      |   80 +++
>   hw/9pfs/virtio-9p.c            |  297 +-----------
>   hw/9pfs/virtio-9p.h            |   85 +---
>   qemu-config.c                  |   13 +
>   qemu-options.hx                |   32 +-
>   vl.c                           |   10 +-
>   17 files changed, 2736 insertions(+), 382 deletions(-)
>   create mode 100644 fsdev/virtfs-proxy-helper.c
>   create mode 100644 fsdev/virtfs-proxy-helper.texi
>   create mode 100644 fsdev/virtio-9p-marshal.c
>   create mode 100644 fsdev/virtio-9p-marshal.h
>   create mode 100644 hw/9pfs/virtio-9p-proxy.c
>   create mode 100644 hw/9pfs/virtio-9p-proxy.h
>
>