From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:51427) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TRkga-00029q-7O for qemu-devel@nongnu.org; Fri, 26 Oct 2012 10:15:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TRkgZ-0007LP-1v for qemu-devel@nongnu.org; Fri, 26 Oct 2012 10:14:56 -0400 Received: from e6.ny.us.ibm.com ([32.97.182.146]:40509) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TRkgY-0007LI-TY for qemu-devel@nongnu.org; Fri, 26 Oct 2012 10:14:54 -0400 Received: from /spool/local by e6.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 26 Oct 2012 10:14:52 -0400 Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 5F6F538C8065 for ; Fri, 26 Oct 2012 10:14:15 -0400 (EDT) Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q9QEEERm298300 for ; Fri, 26 Oct 2012 10:14:15 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q9QEEEfE024888 for ; Fri, 26 Oct 2012 10:14:14 -0400 Message-ID: <508A9AB4.50203@linux.vnet.ibm.com> Date: Fri, 26 Oct 2012 10:14:12 -0400 From: Corey Bryant MIME-Version: 1.0 References: <1350479712-15082-1-git-send-email-otubo@linux.vnet.ibm.com> <1350479712-15082-4-git-send-email-otubo@linux.vnet.ibm.com> <50801D29.2080305@redhat.com> <5087F899.2030604@linux.vnet.ibm.com> <5088078B.3070002@redhat.com> <50880B96.20802@linux.vnet.ibm.com> <50880CFF.5010008@redhat.com> <50882598.5090100@linux.vnet.ibm.com> <5088ECEE.4090104@redhat.com> In-Reply-To: <5088ECEE.4090104@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 4/4] Warning messages on net devices hotplug List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Paolo Bonzini Cc: pmoore@redhat.com, aliguori@us.ibm.com, qemu-devel@nongnu.org, Eduardo Otubo On 10/25/2012 03:40 AM, Paolo Bonzini wrote: > Il 24/10/2012 19:30, Corey Bryant ha scritto: >> >> >> On 10/24/2012 11:45 AM, Paolo Bonzini wrote: >>> Il 24/10/2012 17:39, Corey Bryant ha scritto: >>>> >>>> >>>> On 10/24/2012 11:21 AM, Paolo Bonzini wrote: >>>>> Il 24/10/2012 16:18, Corey Bryant ha scritto: >>>>>> >>>>>> >>>>>> On 10/18/2012 11:15 AM, Paolo Bonzini wrote: >>>>>>> Il 17/10/2012 15:15, Eduardo Otubo ha scritto: >>>>>>>> With the inclusion of the new "double whitelist" seccomp filter, >>>>>>>> Qemu >>>>>>>> won't be able to execve() in runtime, thus, no hotplug net devices >>>>>>>> allowed. >>>>>>>> >>>>>>>> Signed-off-by: Eduardo Otubo >>>>>>> >>>>>>> Please check this in net_init_tap instead. When using libvirt, >>>>>>> hotplug >>>>>>> is done with a completely different mechanism that involves >>>>>>> file-descriptor passing and does not require executing a helper. >>>>>>> >>>>>>> Paolo >>>>>>> >>>>>> >>>>>> Are you sure net_init_tap() is the right place for this check? >>>>> >>>>> Yes, assuming there is a global that says whether the seccomp >>>>> sandbox is >>>>> in effect. Even something like "if (sandbox_active && !tap->has_fd) >>>>> error(...)" can be enough. >>>>> >>>>> Paolo >>>>> >>>> >>>> What do you think about this? It moves the checks into the functions >>>> that actually cause execve() to be called, and it only prevents the >>>> commands after QEMU is done with initialization in main(). >>> >>> It doesn't do error reporting correctly because these functions do not >>> get an Error **. If you change that and use error_setg instead of >>> error_report, it should be okay. >> >> I just wanted to follow up on a few things.. >> >> All of the following functions currently use qerror_report(). I'm >> thinking conversion of these and sub-functions to pass an Error ** >> parameter should be a separate undertaking. >> >> net_init_nic >> net_init_slirp >> net_init_tap >> net_init_socket >> net_init_vde >> net_init_dump >> net_init_bridge >> net_init_hubport > > Ok, but it should not be hard considering that the immediate caller of > all these functions (net_client_init1) takes an Error **. Please > consider this for 1.4 at least. > >>> However, I really think what your testing is not >>> runstate_is_prelaunch(), it is seccomp_effective(). If you structure >>> the test like that, it also lets you eliminate the #ifdef (which in >>> general we prefer to avoid). >> >> The reason for testing runstate_is_prelaunch() is because seccomp will >> be effective during and after prelaunch. The only difference is that a >> more restrictive syscall whitelist will be in effect after prelaunch. So >> perhaps the tests can be similar to the following so that we can get rid >> of the preprocessor #ifdef: >> >> if (seccomp_is_effective() && !runstate_is_prelaunch()) { >> error_report("Cannot execute network helper from QEMU monitor " >> "when -sandbox is in effect"); >> return -1; >> } > > Then you can make the seccomp query return many levels or flags, like > SECCOMP_SANDBOX_ENABLED | SECCOMP_CAN_EXECVE. > > Paolo > True, we can do that. I'll take that approach. Thanks for the suggestion. -- Regards, Corey Bryant