Re: [PATCH] net: tap: check if the file descriptor is valid before using it

[Laurent Vivier <lvivier@redhat.com>]

On 30/06/2020 12:03, Jason Wang wrote:
> 
> On 2020/6/30 下午5:45, Laurent Vivier wrote:
>> On 30/06/2020 11:31, Daniel P. Berrangé wrote:
>>> On Tue, Jun 30, 2020 at 10:23:18AM +0100, Daniel P. Berrangé wrote:
>>>> On Tue, Jun 30, 2020 at 05:21:49PM +0800, Jason Wang wrote:
>>>>> On 2020/6/30 上午3:30, Laurent Vivier wrote:
>>>>>> On 28/06/2020 08:31, Jason Wang wrote:
>>>>>>> On 2020/6/25 下午7:56, Laurent Vivier wrote:
>>>>>>>> On 25/06/2020 10:48, Daniel P. Berrangé wrote:
>>>>>>>>> On Wed, Jun 24, 2020 at 09:00:09PM +0200, Laurent Vivier wrote:
>>>>>>>>>> qemu_set_nonblock() checks that the file descriptor can be
>>>>>>>>>> used and, if
>>>>>>>>>> not, crashes QEMU. An assert() is used for that. The use of
>>>>>>>>>> assert() is
>>>>>>>>>> used to detect programming error and the coredump will allow
>>>>>>>>>> to debug
>>>>>>>>>> the problem.
>>>>>>>>>>
>>>>>>>>>> But in the case of the tap device, this assert() can be
>>>>>>>>>> triggered by
>>>>>>>>>> a misconfiguration by the user. At startup, it's not a real
>>>>>>>>>> problem,
>>>>>>>>>> but it
>>>>>>>>>> can also happen during the hot-plug of a new device, and here
>>>>>>>>>> it's a
>>>>>>>>>> problem because we can crash a perfectly healthy system.
>>>>>>>>> If the user/mgmt app is not correctly passing FDs, then there's
>>>>>>>>> a whole
>>>>>>>>> pile of bad stuff that can happen. Checking whether the FD is
>>>>>>>>> valid is
>>>>>>>>> only going to catch a small subset. eg consider if fd=9 refers
>>>>>>>>> to the
>>>>>>>>> FD that is associated with the root disk QEMU has open. We'll
>>>>>>>>> fail to
>>>>>>>>> setup the TAP device and close this FD, breaking the healthy
>>>>>>>>> system
>>>>>>>>> again.
>>>>>>>>>
>>>>>>>>> I'm not saying we can't check if the FD is valid, but lets be
>>>>>>>>> clear that
>>>>>>>>> this is not offering very much protection against a broken mgmt
>>>>>>>>> apps
>>>>>>>>> passing bad FDs.
>>>>>>>>>
>>>>>>>> I agree with you, but my only goal here is to avoid the crash in
>>>>>>>> this
>>>>>>>> particular case.
>>>>>>>>
>>>>>>>> The punishment should fit the crime.
>>>>>>>>
>>>>>>>> The user can think the netdev_del doesn't close the fd, and he
>>>>>>>> can try
>>>>>>>> to reuse it. Sending back an error is better than crashing his
>>>>>>>> system.
>>>>>>>> After that, if the system crashes, it will be for the good
>>>>>>>> reasons, not
>>>>>>>> because of an assert.
>>>>>>> Yes. And on top of this we may try to validate the TAP via st_dev
>>>>>>> through fstat[1].
>>>>>> I agree, but the problem I have is to know which major(st_dev) we can
>>>>>> allow to use.
>>>>>>
>>>>>> Do we allow only macvtap major number?
>>>>>
>>>>> Macvtap and tuntap.
>>>>>
>>>>>
>>>>>> How to know the macvtap major number at user level?
>>>>>> [it is allocated dynamically: do we need to parse /proc/devices?]
>>>>>
>>>>> I think we can get them through fstat for /dev/net/tun and
>>>>> /dev/macvtapX.
>>>> Don't assume QEMU has any permission to access to these device nodes,
>>>> only the pre-opened FDs it is given by libvirt.
>>> Actually permissions are the least of the problem - the device nodes
>>> won't even exist, because QEMU's almost certainly running in a private
>>> mount namespace with a minimal /dev populated
>>>
>> I'm working on a solution using /proc/devices.
> 
> 
> Similar issue with /dev. There's no guarantee that qemu can access
> /proc/devices or it may not exist (CONFIG_PROCFS).

There is a lot of things that will not work without /proc (several tools
rely on /proc, like ps, top, lsof, mount, ...). Some information are
only available from /proc, and if /proc is there, I think /proc/devices
is always readable by everyone. Moreover /proc is already used by qemu
in several places.

It can also a best effort check.

The problem with fstat() on /dev files is to guess the /dev/macvtapX as
X varies (the same with /dev/tapY)..

> 
>> macvtap has its own major number, but tuntap use "misc" (10) major
>> number.

Another question: it is possible to use the "fd=" parameter with macvtap
as macvtap creates a /dev/tapY device, but how to do that with tuntap
that does not create a /dev/tapY device?

Thanks,
Laurent