From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:56754)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR4me-0001Fp-FN
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 13:30:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR4mX-0005JL-Ty
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 13:30:22 -0400
Received: from e9.ny.us.ibm.com ([32.97.182.139]:41870)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1TR4mX-0005EM-PO
	for qemu-devel@nongnu.org; Wed, 24 Oct 2012 13:30:17 -0400
Received: from /spool/local
	by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Wed, 24 Oct 2012 13:30:06 -0400
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235])
	by d01dlp01.pok.ibm.com (Postfix) with ESMTP id C96A738C80A2
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 13:30:03 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q9OHU38h260788
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 13:30:03 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q9OHU1Y8014337
	for <qemu-devel@nongnu.org>; Wed, 24 Oct 2012 15:30:02 -0200
Message-ID: <50882598.5090100@linux.vnet.ibm.com>
Date: Wed, 24 Oct 2012 13:30:00 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com>
	<1350479712-15082-4-git-send-email-otubo@linux.vnet.ibm.com>
	<50801D29.2080305@redhat.com> <5087F899.2030604@linux.vnet.ibm.com>
	<5088078B.3070002@redhat.com> <50880B96.20802@linux.vnet.ibm.com>
	<50880CFF.5010008@redhat.com>
In-Reply-To: <50880CFF.5010008@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo <otubo@linux.vnet.ibm.com>



On 10/24/2012 11:45 AM, Paolo Bonzini wrote:
> Il 24/10/2012 17:39, Corey Bryant ha scritto:
>>
>>
>> On 10/24/2012 11:21 AM, Paolo Bonzini wrote:
>>> Il 24/10/2012 16:18, Corey Bryant ha scritto:
>>>>
>>>>
>>>> On 10/18/2012 11:15 AM, Paolo Bonzini wrote:
>>>>> Il 17/10/2012 15:15, Eduardo Otubo ha scritto:
>>>>>> With the inclusion of the new "double whitelist" seccomp filter, Qemu
>>>>>> won't be able to execve() in runtime, thus, no hotplug net devices
>>>>>> allowed.
>>>>>>
>>>>>> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com>
>>>>>
>>>>> Please check this in net_init_tap instead.  When using libvirt, hotplug
>>>>> is done with a completely different mechanism that involves
>>>>> file-descriptor passing and does not require executing a helper.
>>>>>
>>>>> Paolo
>>>>>
>>>>
>>>> Are you sure net_init_tap() is the right place for this check?
>>>
>>> Yes, assuming there is a global that says whether the seccomp sandbox is
>>> in effect.  Even something like "if (sandbox_active && !tap->has_fd)
>>> error(...)" can be enough.
>>>
>>> Paolo
>>>
>>
>> What do you think about this? It moves the checks into the functions
>> that actually cause execve() to be called, and it only prevents the
>> commands after QEMU is done with initialization in main().
>
> It doesn't do error reporting correctly because these functions do not
> get an Error **.  If you change that and use error_setg instead of
> error_report, it should be okay.

I just wanted to follow up on a few things..

All of the following functions currently use qerror_report().  I'm 
thinking conversion of these and sub-functions to pass an Error ** 
parameter should be a separate undertaking.

net_init_nic
net_init_slirp
net_init_tap
net_init_socket
net_init_vde
net_init_dump
net_init_bridge
net_init_hubport

>
> However, I really think what your testing is not
> runstate_is_prelaunch(), it is seccomp_effective().  If you structure
> the test like that, it also lets you eliminate the #ifdef (which in
> general we prefer to avoid).

The reason for testing runstate_is_prelaunch() is because seccomp will 
be effective during and after prelaunch.  The only difference is that a 
more restrictive syscall whitelist will be in effect after prelaunch. So 
perhaps the tests can be similar to the following so that we can get rid 
of the preprocessor #ifdef:

if (seccomp_is_effective() && !runstate_is_prelaunch()) {
     error_report("Cannot execute network helper from QEMU monitor "
                  "when -sandbox is in effect");
     return -1;
}

-- 
Regards,
Corey Bryant