From: Corey Bryant <coreyb@linux.vnet.ibm.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: "Stefan Hajnoczi" <stefanha@gmail.com>,
"Michael Halcrow" <mhalcrow@google.com>,
qemu-devel@nongnu.org, "Eric Paris" <eparis@redhat.com>,
"Paul Moore" <pmoore@redhat.com>,
"Ashley D Lai" <adlai@us.ibm.com>, "Avi Kivity" <avi@redhat.com>,
"Richa Marwaha" <rmarwah@us.ibm.com>,
"Amit Shah" <amit.shah@redhat.com>,
"Radim Krčmář" <radimkrcmar@hpx.cz>,
"Eduardo Terrell Ferrari Otubo" <eotubo@br.ibm.com>,
"Lee Terrell" <lterrell@us.ibm.com>,
"George Wilson" <gcwilson@us.ibm.com>
Subject: Re: [Qemu-devel] [RFC] Device sandboxing
Date: Wed, 07 Dec 2011 15:02:45 -0500 [thread overview]
Message-ID: <4EDFC665.3040800@linux.vnet.ibm.com> (raw)
In-Reply-To: <4EDFC1F3.1080900@codemonkey.ws>
On 12/07/2011 02:43 PM, Anthony Liguori wrote:
> On 12/07/2011 01:32 PM, Corey Bryant wrote:
>>
>> Agreed.
>>
>>>> * The untrusted thread would be restricted by seccomp mode 1 and
>>>> would contain the device emulation code.
>>>
>>> I think the best strategy would allow for a device to run either in the
>>> untrusted thread or the trusted thread. This makes performance testing a
>>> bit easier and it also makes development a bit more natural.
>>>
>>
>> When you refer to the device running in the trusted thread, are you
>> talking
>> about the case where you run QEMU without sandboxing support? I think
>> we would
>> ideally like to add this new support such that if it is not enabled,
>> QEMU will
>> still run as a single process and decomposition wouldn't occur.
>>
>>>> * The trusted helper thread would run beside the untrusted thread,
>>>> enabling the untrusted thread to make syscalls beyond read(),
>>>> write(), exit(), and sigreturn().
>>>
>>> I assume you mean process, not thread BTW?
>>>
>>
>> I do mean thread. When making calls on behalf of the seccomp'd thread,
>> I think
>> there will be syscalls that must be called from the same address
>> space. That's
>> where the the trusted helper thread would come into play.
>>
>>>> * IPC communication mechanisms:
>>>>
>>>> * An IPC mechanism will be required to enable communication between
>>>> untrusted and trusted threads.
>>>>
>>>> * An IPC mechanism will also be required to enable communication
>>>> between the main QEMU process and device processes.
>>>
>>> IPC is easy. We have tons of infrastructure in QEMU for IPC (virtio,
>>> QMP, etc.). Please don't reinvent the wheel here.
>>>
>>
>> Ok
>>
>>>> * The communication mechanisms must provide secure communication,
>>>> be low overhead (easy to generate, parse, and validate), and must
>>>> play well with sVirt/LSMs.
>>>
>>> I don't see how sVirt/LSM fits into this but all of these requirements
>>> are also true for the other big untrusted thread that we interact with
>>> (the guest itself).
>>>
>>> My view is that we should view the untrusted thread as an extension of
>>> the guest and that the interfaces between the trusted thread and the
>>> untrusted thread views it simply as another machine type that presents a
>>> different (simpler) hardware abstraction.
>>>
>>
>> Yes this makes sense. I think our biggest concern with IPC is that we
>> don't
>> introduce a TOCTTOU opportunity for a device to change call parameters
>> after
>> they've been checked and before the calls is made on behalf of the
>> sandboxed
>> thread. Shared memory that is writable by both untrusted/trusted
>> thread could
>> introduce this.
>
> This is no different than dealing with a guest. We have to handle this
> with virtio already.
>
Well that's good.
>>
>>>> * Some thoughts for IPC mechanisms are Unix sockets, pipes, virtio,
>>>> Google Native Client's IMC, and shared memory.
>>>
>>> The actual mechanism doesn't really matter I think, but see above
>>> comments.
>>>
>>>> * If seccomp mode 2 support becomes available, decomposition of device
>>>> emulation into untrusted/trusted threads may not be necessary. This
>>>> could result in improved performance (no IPC overhead between trusted
>>>> and untrusted thread) and reduced complexity (no need for trusted
>>>> helper thread).
>>>
>>> If mode 2 is the Right Answer, then we shouldn't wait for it to become
>>> available. We should make it available by pushing it into the kernel.
>>>
>>> If we all agree that if mode 2 existed, it's what we would use, then
>>> that we have the answer to this discussion and we know what we need to
>>> go off and do.
>>>
>>
>> That would seem like the logical approach. I think there may be new
>> mode 2
>> patches coming soon so we can see how they go over.
>
> I'd like to see what the whitelist would need to be for something like
> QEMU in mode 2. My biggest concern is that the whitelist would need to
> be so large that the practical security what's all that much improved.
This may not tell the whole story. These are the syscalls found to be
called with the following execution: qemu -hda harddrive.raw -boot c
-m 256
access
brk
clock_gettime
clone
close
connect
dup
eventfd2
execve
fcntl64
fstat64
futex
getegid32
geteuid32
getgid32
getpeername
getrlimit
getsockname
gettimeofday
getuid32
ioctl
_llseek
madvise
mmap2
mprotect
munmap
nanosleep
open
poll
prctl
pread64
read
readlink
rt_sigaction
rt_sigprocmask
select
set_robust_list
set_thread_area
set_tid_address
shmat
shmctl
shmdt
shmget
signalfd
socket
stat64
tgkill
time
timer_create
timer_gettime
timer_settime
uname
write
writev
>
> Regards,
>
> Anthony Liguori
>
--
Regards,
Corey
next prev parent reply other threads:[~2011-12-07 20:06 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-07 18:25 [Qemu-devel] [RFC] Device sandboxing Corey Bryant
2011-12-07 18:48 ` Anthony Liguori
2011-12-07 19:32 ` Corey Bryant
2011-12-07 19:43 ` Anthony Liguori
2011-12-07 19:52 ` Michael Halcrow
2011-12-07 20:02 ` Corey Bryant [this message]
2011-12-07 20:54 ` Eric Paris
2011-12-08 9:40 ` Stefan Hajnoczi
2011-12-11 10:50 ` Dor Laor
2011-12-12 18:54 ` Will Drewry
2011-12-08 9:47 ` Stefan Hajnoczi
2011-12-08 14:39 ` Corey Bryant
2011-12-07 21:20 ` Paul Moore
2011-12-14 17:15 ` Serge E. Hallyn
2011-12-14 23:56 ` Paul Moore
2011-12-15 14:28 ` Corey Bryant
2011-12-15 15:14 ` Serge Hallyn
2011-12-15 15:35 ` Paul Moore
2011-12-15 16:05 ` Serge Hallyn
2011-12-08 21:51 ` Blue Swirl
2011-12-12 18:30 ` Corey Bryant
2011-12-09 16:17 ` Paul Brook
2011-12-09 16:34 ` Paul Moore
2011-12-09 17:32 ` Paul Brook
2011-12-09 17:49 ` Paul Moore
2011-12-09 18:46 ` Paul Brook
2011-12-09 18:50 ` Paul Moore
2011-12-09 18:59 ` Paul Brook
2011-12-09 19:17 ` Paul Moore
2011-12-10 19:39 ` Blue Swirl
2011-12-11 9:08 ` Avi Kivity
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EDFC665.3040800@linux.vnet.ibm.com \
--to=coreyb@linux.vnet.ibm.com \
--cc=adlai@us.ibm.com \
--cc=amit.shah@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=eotubo@br.ibm.com \
--cc=eparis@redhat.com \
--cc=gcwilson@us.ibm.com \
--cc=lterrell@us.ibm.com \
--cc=mhalcrow@google.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=radimkrcmar@hpx.cz \
--cc=rmarwah@us.ibm.com \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).