From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:53493) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RkGb1-0001WA-7l for qemu-devel@nongnu.org; Mon, 09 Jan 2012 09:53:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RkGaw-00072s-KL for qemu-devel@nongnu.org; Mon, 09 Jan 2012 09:53:11 -0500 Received: from e7.ny.us.ibm.com ([32.97.182.137]:54090) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RkGaw-00072j-F4 for qemu-devel@nongnu.org; Mon, 09 Jan 2012 09:53:06 -0500 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 9 Jan 2012 09:53:05 -0500 Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q09EqrN8251878 for ; Mon, 9 Jan 2012 09:52:53 -0500 Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q09EqqpR028995 for ; Mon, 9 Jan 2012 12:52:53 -0200 Message-ID: <4F0AFF42.7070306@us.ibm.com> Date: Mon, 09 Jan 2012 08:52:50 -0600 From: Anthony Liguori MIME-Version: 1.0 References: <87ty4btosa.fsf@linux.vnet.ibm.com> In-Reply-To: <87ty4btosa.fsf@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PULL] VirtFS Proxy FS driver changes List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Aneesh Kumar K.V" Cc: "M. Mohan Kumar" , QEMU Developers On 01/04/2012 10:28 AM, Aneesh Kumar K.V wrote: > > The following changes since commit f3c6a169a39d188e98c17a0a0ebfa7f85e5aafdd: > > Merge remote-tracking branch 'qemu-kvm/memory/page_desc' into staging (2012-01-03 14:39:05 -0600) > > are available in the git repository at: > > > git://github.com/kvaneesh/QEMU.git for-upstream > > Also available at signed tag virtfs-proxy-support > > > for you to fetch changes up to 84a87cc4cc77f9e6829e20726f00646afe12deed: > > hw/9pfs: Add support to use named socket for proxy FS (2012-01-04 21:23:55 +0530) Pulled. Thanks. Regards, Anthony Liguori > > ---------------------------------------------------------------- > Pass-through security model in QEMU 9p server needs root privilege to do > few file operations (like chown, chmod to any mode/uid:gid). There are two > issues in pass-through security model > > 1) TOCTTOU vulnerability: Following symbolic links in the server could > provide access to files beyond 9p export path. > > 2) Running QEMU with root privilege could be a security issue. > > To overcome above issues, following approach is used: A new filesytem > type 'proxy' is introduced. Proxy FS uses chroot + socket combination > for securing the vulnerability known with following symbolic links. > Intention of adding a new filesystem type is to allow qemu to run > in non-root mode, but doing privileged operations using socket IO. > > Proxy helper(a stand alone binary part of qemu) is invoked with > root privileges. Proxy helper chroots into 9p export path and creates > a socket pair or a named socket based on the command line parameter. > Qemu and proxy helper communicate using this socket. QEMU proxy fs > driver sends filesystem request to proxy helper and receives the > response from it. > > Proxy helper is designed so that it can drop the root privilege but > retaining capbilities that are needed for doing filesystem operations > (like CAP_DAC_OVERRIDE, CAP_FOWNER etc) > > ---------------------------------------------------------------- > Aneesh Kumar K.V (1): > hw/9pfs: Move opt validation to FsDriver callback > > M. Mohan Kumar (13): > hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file > hw/9pfs: Add validation to {un}marshal code > hw/9pfs: Add new proxy filesystem driver > hw/9pfs: File system helper process for qemu 9p proxy FS > hw/9pfs: Open and create files > hw/9pfs: Create other filesystem objects > hw/9pfs: Add stat/readlink/statfs for proxy FS > hw/9pfs: File ownership and others > hw/9pfs: xattr interfaces in proxy filesystem driver > hw/9pfs: Proxy getversion > hw/9pfs: Documentation changes related to proxy fs > hw/9pfs: man page for proxy helper > hw/9pfs: Add support to use named socket for proxy FS > > Makefile | 15 +- > Makefile.objs | 3 +- > configure | 19 + > fsdev/file-op-9p.h | 17 +- > fsdev/qemu-fsdev.c | 45 +-- > fsdev/qemu-fsdev.h | 11 +- > fsdev/virtfs-proxy-helper.c | 1120 +++++++++++++++++++++++++++++++++++++ > fsdev/virtfs-proxy-helper.texi | 63 +++ > fsdev/virtio-9p-marshal.c | 323 +++++++++++ > fsdev/virtio-9p-marshal.h | 90 +++ > hw/9pfs/virtio-9p-device.c | 13 +- > hw/9pfs/virtio-9p-handle.c | 20 + > hw/9pfs/virtio-9p-local.c | 34 ++ > hw/9pfs/virtio-9p-proxy.c | 1210 ++++++++++++++++++++++++++++++++++++++++ > hw/9pfs/virtio-9p-proxy.h | 95 ++++ > hw/9pfs/virtio-9p.c | 704 +++++++++++------------ > hw/9pfs/virtio-9p.h | 83 +--- > qemu-config.c | 13 + > qemu-options.hx | 32 +- > vl.c | 18 +- > 20 files changed, 3414 insertions(+), 514 deletions(-) > create mode 100644 fsdev/virtfs-proxy-helper.c > create mode 100644 fsdev/virtfs-proxy-helper.texi > create mode 100644 fsdev/virtio-9p-marshal.c > create mode 100644 fsdev/virtio-9p-marshal.h > create mode 100644 hw/9pfs/virtio-9p-proxy.c > create mode 100644 hw/9pfs/virtio-9p-proxy.h > > >