From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:50792) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TRI3V-00034l-6J for qemu-devel@nongnu.org; Thu, 25 Oct 2012 03:40:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TRI3U-00048i-2N for qemu-devel@nongnu.org; Thu, 25 Oct 2012 03:40:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59804) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TRI3T-00048Z-QW for qemu-devel@nongnu.org; Thu, 25 Oct 2012 03:40:39 -0400 Message-ID: <5088ECEE.4090104@redhat.com> Date: Thu, 25 Oct 2012 09:40:30 +0200 From: Paolo Bonzini MIME-Version: 1.0 References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com> <1350479712-15082-4-git-send-email-otubo@linux.vnet.ibm.com> <50801D29.2080305@redhat.com> <5087F899.2030604@linux.vnet.ibm.com> <5088078B.3070002@redhat.com> <50880B96.20802@linux.vnet.ibm.com> <50880CFF.5010008@redhat.com> <50882598.5090100@linux.vnet.ibm.com> In-Reply-To: <50882598.5090100@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Corey Bryant Cc: pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo Il 24/10/2012 19:30, Corey Bryant ha scritto: > > > On 10/24/2012 11:45 AM, Paolo Bonzini wrote: >> Il 24/10/2012 17:39, Corey Bryant ha scritto: >>> >>> >>> On 10/24/2012 11:21 AM, Paolo Bonzini wrote: >>>> Il 24/10/2012 16:18, Corey Bryant ha scritto: >>>>> >>>>> >>>>> On 10/18/2012 11:15 AM, Paolo Bonzini wrote: >>>>>> Il 17/10/2012 15:15, Eduardo Otubo ha scritto: >>>>>>> With the inclusion of the new "double whitelist" seccomp filter, >>>>>>> Qemu >>>>>>> won't be able to execve() in runtime, thus, no hotplug net devices >>>>>>> allowed. >>>>>>> >>>>>>> Signed-off-by: Eduardo Otubo >>>>>> >>>>>> Please check this in net_init_tap instead. When using libvirt, >>>>>> hotplug >>>>>> is done with a completely different mechanism that involves >>>>>> file-descriptor passing and does not require executing a helper. >>>>>> >>>>>> Paolo >>>>>> >>>>> >>>>> Are you sure net_init_tap() is the right place for this check? >>>> >>>> Yes, assuming there is a global that says whether the seccomp >>>> sandbox is >>>> in effect. Even something like "if (sandbox_active && !tap->has_fd) >>>> error(...)" can be enough. >>>> >>>> Paolo >>>> >>> >>> What do you think about this? It moves the checks into the functions >>> that actually cause execve() to be called, and it only prevents the >>> commands after QEMU is done with initialization in main(). >> >> It doesn't do error reporting correctly because these functions do not >> get an Error **. If you change that and use error_setg instead of >> error_report, it should be okay. > > I just wanted to follow up on a few things.. > > All of the following functions currently use qerror_report(). I'm > thinking conversion of these and sub-functions to pass an Error ** > parameter should be a separate undertaking. > > net_init_nic > net_init_slirp > net_init_tap > net_init_socket > net_init_vde > net_init_dump > net_init_bridge > net_init_hubport Ok, but it should not be hard considering that the immediate caller of all these functions (net_client_init1) takes an Error **. Please consider this for 1.4 at least. >> However, I really think what your testing is not >> runstate_is_prelaunch(), it is seccomp_effective(). If you structure >> the test like that, it also lets you eliminate the #ifdef (which in >> general we prefer to avoid). > > The reason for testing runstate_is_prelaunch() is because seccomp will > be effective during and after prelaunch. The only difference is that a > more restrictive syscall whitelist will be in effect after prelaunch. So > perhaps the tests can be similar to the following so that we can get rid > of the preprocessor #ifdef: > > if (seccomp_is_effective() && !runstate_is_prelaunch()) { > error_report("Cannot execute network helper from QEMU monitor " > "when -sandbox is in effect"); > return -1; > } Then you can make the seccomp query return many levels or flags, like SECCOMP_SANDBOX_ENABLED | SECCOMP_CAN_EXECVE. Paolo