From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] virtio-rng and fd passing
Date: Fri, 01 Mar 2013 22:34:47 -0500 [thread overview]
Message-ID: <51317357.60605@linux.vnet.ibm.com> (raw)
In-Reply-To: <87lia6fq2a.fsf@codemonkey.ws>
On 03/01/2013 10:17 PM, Anthony Liguori wrote:
> Stefan Berger <stefanb@linux.vnet.ibm.com> writes:
>
>> On 03/01/2013 06:59 PM, Anthony Liguori wrote:
>>> Eric Blake <eblake@redhat.com> writes:
>>>
>>>> On 03/01/2013 04:05 PM, Anthony Liguori wrote:
>>>>> Eric Blake <eblake@redhat.com> writes:
>>>>>
>>>>>> On 03/01/2013 02:08 PM, Anthony Liguori wrote:
>>>>>>
>>>>>>>>> You can pass chardevs to the egd backend. It's really not a good idea
>>>>>>>>> to pass a fd via rng-rangom.
>>>>>> Why not? If you are running a single guest, why can't libvirt pass that
>>>>>> one guest an fd instead of making qemu open() the file?
>>>>> Why can't QEMU just open(/dev/random)? What's the advantage of libvirt
>>>>> doing the open?
>>>> sVirt/syscall blacklisting
>>>>
>>>> Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
>>>> get ALL its fds from inheritence across exec() and/or SCM_RIGHTS. In
>>>> this way, qemu can be made more secure out of the box, even on file
>>>> systems like NFS that lack SELinux labeling.
>>> Opening up files as root and passing the descriptors to an unprivileged
>>> process is more secure than doing open() as an unprivileged process.
>>>
>>> The kernel is capable of doing this enforcement. I don't think it's
>>> reasonable to expect QEMU to never use open() at all.
>> For blacklisting of open() to succeed we would need to at least pass all
>> file descriptors into QEMU so that QEMU doesn't need to call open()
>> because of the devices it uses. If there are no open() calls left in
>> all/most predictable cases then blacklisting open() could be enabled for
>> those cases (hopefully all of them). Isn't thos the technical aspect to
>> what it comes down to in the end that would let one blacklist open()?
> Sandboxing isn't a panacea. The benefit comes from removing unnecessary
> interfaces from the attack surface. It doesn't help if you blacklist
> and interface but then invent an RPC that replicates it anyway.
>
> Moving the open validation logic from the kernel to libvirt is *not*
> reducing the attack surface. It's simply moving it from one place (the
> kernel) to another (libvirt).
It depends on what one defends against. If a jail-break succeeds and
open() is disabled, then that attack surfaces was effectively reduced.
It's hard to say whether opening files within libvirt could then allow
new exploits.
Stefan
next prev parent reply other threads:[~2013-03-02 3:34 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <512FF819.7050505@redhat.com>
2013-03-01 9:51 ` [Qemu-devel] virtio-rng and fd passing Paolo Bonzini
2013-03-04 4:29 ` Amit Shah
2013-03-06 6:20 ` Amit Shah
2013-03-01 19:37 ` H. Peter Anvin
2013-03-01 20:13 ` Stefan Berger
2013-03-01 20:15 ` H. Peter Anvin
2013-03-01 20:41 ` Paolo Bonzini
2013-03-01 20:04 ` Anthony Liguori
2013-03-01 20:34 ` Stefan Berger
2013-03-01 21:08 ` Anthony Liguori
2013-03-01 21:13 ` Eric Blake
2013-03-01 23:05 ` Anthony Liguori
2013-03-01 23:14 ` Eric Blake
2013-03-01 23:59 ` Anthony Liguori
2013-03-02 0:29 ` Eric Blake
2013-03-02 3:13 ` Anthony Liguori
2013-03-02 12:23 ` Paolo Bonzini
2013-03-03 21:05 ` Anthony Liguori
2013-03-04 21:57 ` Eric Blake
2013-03-04 22:24 ` Anthony Liguori
2013-03-04 22:35 ` Eric Blake
2013-03-05 4:44 ` H. Peter Anvin
2013-03-04 21:54 ` Eric Blake
2013-03-02 0:34 ` Stefan Berger
2013-03-02 3:17 ` Anthony Liguori
2013-03-02 3:34 ` Stefan Berger [this message]
2013-03-03 21:06 ` Anthony Liguori
2013-03-04 15:27 ` Corey Bryant
2013-03-04 10:29 ` Daniel P. Berrange
2013-03-04 15:55 ` Corey Bryant
2013-03-01 22:59 ` Peter Krempa
2013-03-01 23:14 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51317357.60605@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=anthony@codemonkey.ws \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).