From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47944)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QX4wj-000564-1e
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 01:16:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QX4wi-0004gS-0T
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 01:16:49 -0400
Received: from mail-yx0-f173.google.com ([209.85.213.173]:36799)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QX4wh-0004gD-UB
	for qemu-devel@nongnu.org; Thu, 16 Jun 2011 01:16:47 -0400
Received: by yxs7 with SMTP id 7so818377yxs.4
	for <qemu-devel@nongnu.org>; Wed, 15 Jun 2011 22:16:47 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <4DF8F706.4080709@linux.vnet.ibm.com>
References: <20110614081244.GB3428@in.ibm.com>
	<BANLkTi=O8FfU1p=OpdtCnfJMQs=in2UZrA@mail.gmail.com>
	<4DF8F706.4080709@linux.vnet.ibm.com>
Date: Thu, 16 Jun 2011 06:16:46 +0100
Message-ID: <BANLkTi=HzrLO1NgZ0DNdGQZRxrRxLCy64A@mail.gmail.com>
From: Stefan Hajnoczi <stefanha@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix
 TOCTOU vulnerability
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Cc: mohan@in.ibm.com, qemu-devel@nongnu.org

On Wed, Jun 15, 2011 at 7:16 PM, Venkateswararao Jujjuri
<jvrao@linux.vnet.ibm.com> wrote:
> On 06/15/2011 10:35 AM, Stefan Hajnoczi wrote:
>>
>> On Tue, Jun 14, 2011 at 9:12 AM, M. Mohan Kumar<mohan@in.ibm.com> =A0wro=
te:
>>>
>>> [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
>>>
>>> In passthrough security model, following a symbolic link in the server
>>> side could result in TOCTTOU vulnerability.
>>>
>>> Use clone system call to create a thread which runs in chrooted
>>> environment. All passthrough model file operations are done from this
>>> thread to avoid TOCTTOU vulnerability.
>>
>> How will chroot(2) work when QEMU runs as non-root (i.e. secure
>> production environments)?
>>
> This is used only in passthrough mode; passthrough mode needs root access=
 by
> design.
> There is no TOCTTOU vulnerability in mapped mode as symlinks are not actu=
al
> symlinks on host FS.

So is passthrough mode something you only expect developers and
one-off command-line users to try?  I expect users would not want to
run QEMU as root in production.

Regarding mapped mode, I think jailing problems still exist there
since the guest could send a path that contains "../../../../.." and
escape the fs_root?

Stefan