From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:57146)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1UBZA6-0002Ll-TN
	for qemu-devel@nongnu.org; Fri, 01 Mar 2013 18:14:48 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1UBZA5-0005fV-Kf
	for qemu-devel@nongnu.org; Fri, 01 Mar 2013 18:14:46 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50262)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1UBZA5-0005fQ-Ca
	for qemu-devel@nongnu.org; Fri, 01 Mar 2013 18:14:45 -0500
Message-ID: <51313660.5010001@redhat.com>
Date: Fri, 01 Mar 2013 16:14:40 -0700
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <512FF819.7050505@redhat.com> <87k3pqzy2y.fsf@codemonkey.ws>
	<513110D3.5030503@linux.vnet.ibm.com>
	<87d2vig75m.fsf@codemonkey.ws> <51311A13.6030205@redhat.com>
	<87r4jy90wt.fsf@codemonkey.ws>
In-Reply-To: <87r4jy90wt.fsf@codemonkey.ws>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="----enig2XNPWFSJEHEMBCIDHWOKI"
Subject: Re: [Qemu-devel] virtio-rng and fd passing
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>, Stefan Berger <stefanb@linux.vnet.ibm.com>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2XNPWFSJEHEMBCIDHWOKI
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 03/01/2013 04:05 PM, Anthony Liguori wrote:
> Eric Blake <eblake@redhat.com> writes:
>=20
>> On 03/01/2013 02:08 PM, Anthony Liguori wrote:
>>
>>>>> You can pass chardevs to the egd backend.  It's really not a good i=
dea
>>>>> to pass a fd via rng-rangom.
>>
>> Why not?  If you are running a single guest, why can't libvirt pass th=
at
>> one guest an fd instead of making qemu open() the file?
>=20
> Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt=

> doing the open?

sVirt/syscall blacklisting

Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
this way, qemu can be made more secure out of the box, even on file
systems like NFS that lack SELinux labeling.  Right now, if you store
your image files on NFS, then you have to explicitly grant SELinux the
virt_use_nfs boolean, which says that qemu can open() _any_ file on NFS,
even if it is not a file belonging to the guest's disk image.  But if we
can prohibit qemu from calling open(), while still accessing everything
it needs with fd passing, then virt_use_nfs is no longer necessary - and
even if the qemu process is compromised by a rogue guest, the
compromised process cannot access any file to which it does not already
have an fd.

But given the way open() blacklisting works, allowing qemu to
open("/dev/random") while forbidding open("/nfs/...") is much harder
than forbidding all open().  In other words, an all-or-nothing switch is
possible only if qemu consistently uses qemu_open() instead of raw open()=
=2E

> I understand the reason that fdsets exist (because NFS is stupid and
> doesn't support labeling).  But we aren't doing dynamic labeling of
> /dev/random and I strongly suspect it's not on NFS anyway.
>=20
> So why are we trying to pass fds here?

Consistency - how do you write a policy that allows open("/dev/random")
while forbidding open("/nfs/...")?  It's much simpler to forbid open(),
even if /dev/random doesn't have any labeling issues.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


------enig2XNPWFSJEHEMBCIDHWOKI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJRMTZgAAoJEKeha0olJ0NqfqIH/jMvLkFrwnFbITgjGXH7xuDx
mSzyvxQl2l1nNtUl6Sm683H3KZsd8skIXqCUrjhKWGv+DUiCTpGQeRb/7vNVapG0
jQJGHORX+FfAHY8NN9JmwMXZUanoeqMzlOf2y6cbC/HNwbrPxixnmqPxRZWskbH0
k4TZyz4vyl0cI1cSHBpZs+ZrwBEHBMdRE+Exc/KrjSYMAR3xVQe2DDkRm18a7J02
oPgwX+56OlF4aoXVDPqEAnRx1zwrg9ZkTPGdEZYqxzmNmUjsAPYZ0ymdICUES7oK
Mkm3/ufP7phns394ldG1/0ShTHN1f/pBdHAfp743oLdEjSr48sucWBA6pLmdhWU=
=W4yk
-----END PGP SIGNATURE-----

------enig2XNPWFSJEHEMBCIDHWOKI--