From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:46323)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RYMBi-0004ci-Gi
	for qemu-devel@nongnu.org; Wed, 07 Dec 2011 13:25:54 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RYMBc-0007NK-Qg
	for qemu-devel@nongnu.org; Wed, 07 Dec 2011 13:25:50 -0500
Received: from e3.ny.us.ibm.com ([32.97.182.143]:59421)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1RYMBc-0007N8-O0
	for qemu-devel@nongnu.org; Wed, 07 Dec 2011 13:25:44 -0500
Received: from /spool/local
	by e3.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Wed, 7 Dec 2011 13:25:37 -0500
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64])
	by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	pB7IPWDc095120
	for <qemu-devel@nongnu.org>; Wed, 7 Dec 2011 13:25:32 -0500
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1])
	by d01av04.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	pB7IPUeY015184
	for <qemu-devel@nongnu.org>; Wed, 7 Dec 2011 13:25:32 -0500
Message-ID: <4EDFAF91.4070904@linux.vnet.ibm.com>
Date: Wed, 07 Dec 2011 13:25:21 -0500
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] [RFC] Device sandboxing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Anthony Liguori <aliguori@us.ibm.com>, Stefan Hajnoczi <stefanha@gmail.com>, Michael Halcrow <mhalcrow@google.com>, =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <radimkrcmar@hpx.cz>, Corey C Bryant <coreyb@linux.vnet.ibm.com>, Lee Terrell <lterrell@us.ibm.com>, Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>, Eduardo Terrell Ferrari Otubo <eotubo@br.ibm.com>, Avi Kivity <avi@redhat.com>, Richa Marwaha <rmarwah@us.ibm.com>, Amit Shah <amit.shah@redhat.com>, Ashley D Lai <adlai@us.ibm.com>, George Wilson <gcwilson@us.ibm.com>

A group of us are starting to work on sandboxing QEMU device emulation
code.  We're just getting started investigating various approaches, and
want to engage the community to gather input.

Following are the design points that we are currently considering:

* Decompose QEMU into multiple processes:

     * This could be done such that QEMU devices execute in separate
       processes based on device type, e.g. all block devices in one
       process and all network devices in a second process.  Another
       alternative is executing a separate process per device.

     * Decomposition would not only afford a level of security inherent
       in process separation, it would also allow development of stricter
       sVirt/SELinux policy for the decomposed QEMU processes (e.g. a
       block device specific policy).  This would enable a true sandbox
       with layers of defense.

* Decompose the device emulation process further into an untrusted and
   trusted thread:

     * The untrusted thread would be restricted by seccomp mode 1 and
       would contain the device emulation code.

     * The trusted helper thread would run beside the untrusted thread,
       enabling the untrusted thread to make syscalls beyond read(),
       write(), exit(), and sigreturn().

* IPC communication mechanisms:

     * An IPC mechanism will be required to enable communication between
       untrusted and trusted threads.

     * An IPC mechanism will also be required to enable communication
       between the main QEMU process and device processes.

     * The communication mechanisms must provide secure communication,
       be low overhead (easy to generate, parse, and validate), and must
       play well with sVirt/LSMs.

     * Some thoughts for IPC mechanisms are Unix sockets, pipes, virtio,
       Google Native Client's IMC, and shared memory.

* If seccomp mode 2 support becomes available, decomposition of device
   emulation into untrusted/trusted threads may not be necessary.  This
   could result in improved performance (no IPC overhead between trusted
   and untrusted thread) and reduced complexity (no need for trusted
   helper thread).

* Execution of QEMU with the sandboxed device support should be an
   optional run-time specification.

* We will be focusing on legacy devices first, both for performance and
   risk reasons.

Once we settle on a direction, we will develop a proof of concept to
share with the community.

We appreciate your input.

Regards,

Ashley Lai
Corey Bryant
Eduardo Otubo
Michael Halcrow
Paul Moore
Richa Marwaha