From: Anthony Liguori <aliguori@us.ibm.com>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: "M. Mohan Kumar" <mohan@in.ibm.com>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PULL] VirtFS Proxy FS driver changes
Date: Mon, 09 Jan 2012 08:52:50 -0600 [thread overview]
Message-ID: <4F0AFF42.7070306@us.ibm.com> (raw)
In-Reply-To: <87ty4btosa.fsf@linux.vnet.ibm.com>
On 01/04/2012 10:28 AM, Aneesh Kumar K.V wrote:
>
> The following changes since commit f3c6a169a39d188e98c17a0a0ebfa7f85e5aafdd:
>
> Merge remote-tracking branch 'qemu-kvm/memory/page_desc' into staging (2012-01-03 14:39:05 -0600)
>
> are available in the git repository at:
>
>
> git://github.com/kvaneesh/QEMU.git for-upstream
>
> Also available at signed tag virtfs-proxy-support
>
>
> for you to fetch changes up to 84a87cc4cc77f9e6829e20726f00646afe12deed:
>
> hw/9pfs: Add support to use named socket for proxy FS (2012-01-04 21:23:55 +0530)
Pulled. Thanks.
Regards,
Anthony Liguori
>
> ----------------------------------------------------------------
> Pass-through security model in QEMU 9p server needs root privilege to do
> few file operations (like chown, chmod to any mode/uid:gid). There are two
> issues in pass-through security model
>
> 1) TOCTTOU vulnerability: Following symbolic links in the server could
> provide access to files beyond 9p export path.
>
> 2) Running QEMU with root privilege could be a security issue.
>
> To overcome above issues, following approach is used: A new filesytem
> type 'proxy' is introduced. Proxy FS uses chroot + socket combination
> for securing the vulnerability known with following symbolic links.
> Intention of adding a new filesystem type is to allow qemu to run
> in non-root mode, but doing privileged operations using socket IO.
>
> Proxy helper(a stand alone binary part of qemu) is invoked with
> root privileges. Proxy helper chroots into 9p export path and creates
> a socket pair or a named socket based on the command line parameter.
> Qemu and proxy helper communicate using this socket. QEMU proxy fs
> driver sends filesystem request to proxy helper and receives the
> response from it.
>
> Proxy helper is designed so that it can drop the root privilege but
> retaining capbilities that are needed for doing filesystem operations
> (like CAP_DAC_OVERRIDE, CAP_FOWNER etc)
>
> ----------------------------------------------------------------
> Aneesh Kumar K.V (1):
> hw/9pfs: Move opt validation to FsDriver callback
>
> M. Mohan Kumar (13):
> hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file
> hw/9pfs: Add validation to {un}marshal code
> hw/9pfs: Add new proxy filesystem driver
> hw/9pfs: File system helper process for qemu 9p proxy FS
> hw/9pfs: Open and create files
> hw/9pfs: Create other filesystem objects
> hw/9pfs: Add stat/readlink/statfs for proxy FS
> hw/9pfs: File ownership and others
> hw/9pfs: xattr interfaces in proxy filesystem driver
> hw/9pfs: Proxy getversion
> hw/9pfs: Documentation changes related to proxy fs
> hw/9pfs: man page for proxy helper
> hw/9pfs: Add support to use named socket for proxy FS
>
> Makefile | 15 +-
> Makefile.objs | 3 +-
> configure | 19 +
> fsdev/file-op-9p.h | 17 +-
> fsdev/qemu-fsdev.c | 45 +--
> fsdev/qemu-fsdev.h | 11 +-
> fsdev/virtfs-proxy-helper.c | 1120 +++++++++++++++++++++++++++++++++++++
> fsdev/virtfs-proxy-helper.texi | 63 +++
> fsdev/virtio-9p-marshal.c | 323 +++++++++++
> fsdev/virtio-9p-marshal.h | 90 +++
> hw/9pfs/virtio-9p-device.c | 13 +-
> hw/9pfs/virtio-9p-handle.c | 20 +
> hw/9pfs/virtio-9p-local.c | 34 ++
> hw/9pfs/virtio-9p-proxy.c | 1210 ++++++++++++++++++++++++++++++++++++++++
> hw/9pfs/virtio-9p-proxy.h | 95 ++++
> hw/9pfs/virtio-9p.c | 704 +++++++++++------------
> hw/9pfs/virtio-9p.h | 83 +---
> qemu-config.c | 13 +
> qemu-options.hx | 32 +-
> vl.c | 18 +-
> 20 files changed, 3414 insertions(+), 514 deletions(-)
> create mode 100644 fsdev/virtfs-proxy-helper.c
> create mode 100644 fsdev/virtfs-proxy-helper.texi
> create mode 100644 fsdev/virtio-9p-marshal.c
> create mode 100644 fsdev/virtio-9p-marshal.h
> create mode 100644 hw/9pfs/virtio-9p-proxy.c
> create mode 100644 hw/9pfs/virtio-9p-proxy.h
>
>
>
prev parent reply other threads:[~2012-01-09 14:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-04 16:28 [Qemu-devel] [PULL] VirtFS Proxy FS driver changes Aneesh Kumar K.V
2012-01-09 14:52 ` Anthony Liguori [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F0AFF42.7070306@us.ibm.com \
--to=aliguori@us.ibm.com \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=mohan@in.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).