From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Anthony Harivel <aharivel@redhat.com>,
mtosatti@redhat.com, qemu-devel@nongnu.org, vchundur@redhat.com
Subject: Re: [PATCH v3 2/3] tools: build qemu-vmsr-helper
Date: Mon, 29 Jan 2024 19:53:54 +0000 [thread overview]
Message-ID: <ZbgCUpVTYg9VU4b-@redhat.com> (raw)
In-Reply-To: <ZbgAb3m6-rwUFxOO@redhat.com>
On Mon, Jan 29, 2024 at 07:45:51PM +0000, Daniel P. Berrangé wrote:
> On Mon, Jan 29, 2024 at 08:33:21PM +0100, Paolo Bonzini wrote:
> > On Mon, Jan 29, 2024 at 7:53 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
> > > > diff --git a/meson.build b/meson.build
> > > > index d0329966f1b4..93fc233b0891 100644
> > > > --- a/meson.build
> > > > +++ b/meson.build
> > > > @@ -4015,6 +4015,11 @@ if have_tools
> > > > dependencies: [authz, crypto, io, qom, qemuutil,
> > > > libcap_ng, mpathpersist],
> > > > install: true)
> > > > +
> > > > + executable('qemu-vmsr-helper', files('tools/i386/qemu-vmsr-helper.c'),
> > >
> > > I'd suggest 'tools/x86/' since this works fine on 64-bit too
> >
> > QEMU tends to use i386 in the source to mean both 32- and 64-bit.
>
> One day we should rename that to x86 too :-)
>
> > > You never answered my question from the previous posting of this
> > >
> > > This check is merely validating the the thread ID in the message
> > > is a child of the process ID connected to the socket. Any process
> > > on the entire host can satisfy this requirement.
> > >
> > > I don't see what is limiting this to only QEMU as claimed by the
> > > commit message, unless you're expecting the UNIX socket permissions
> > > to be such that only processes under the qemu:qemu user:group pair
> > > can access to the socket ? That would be a libvirt based permissions
> > > assumption though.
> >
> > Yes, this is why the systemd socket uses 600, like
> > contrib/systemd/qemu-pr-helper.socket. The socket can be passed via
> > SCM_RIGHTS by libvirt, or its permissions can be changed (e.g. 660 and
> > root:kvm would make sense on a Debian system), or a separate helper
> > can be started by libvirt.
> >
> > Either way, the policy is left to the user rather than embedding it in
> > the provided systemd unit.
>
> Ok, this code needs a comment to explain that we're relying on
> socket permissions to control who/what can access the daemon,
> combined with this PID+TID check to validate it is not spoofing
> its identity, as without context the TID check looks pointless.
Looking again, the TID is never used after being checked. QEMU sends
the TID, but the helper never does anything with this information
except to check the TID belongs the PID. Why are we sending the TID ?
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2024-01-29 19:54 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 7:22 [PATCH v3 0/3] Add support for the RAPL MSRs series Anthony Harivel
2024-01-25 7:22 ` [PATCH v3 1/3] qio: add support for SO_PEERCRED for socket channel Anthony Harivel
2024-01-25 16:37 ` Daniel P. Berrangé
2024-01-29 19:25 ` Paolo Bonzini
2024-01-29 19:30 ` Daniel P. Berrangé
2024-01-25 7:22 ` [PATCH v3 2/3] tools: build qemu-vmsr-helper Anthony Harivel
2024-01-29 18:53 ` Daniel P. Berrangé
2024-01-29 19:33 ` Paolo Bonzini
2024-01-29 19:45 ` Daniel P. Berrangé
2024-01-29 19:53 ` Daniel P. Berrangé [this message]
2024-01-29 20:21 ` Paolo Bonzini
2024-02-21 13:19 ` Anthony Harivel
2024-02-21 13:47 ` Daniel P. Berrangé
2024-02-21 13:52 ` Anthony Harivel
2024-03-01 11:08 ` Anthony Harivel
2024-01-25 7:22 ` [PATCH v3 3/3] Add support for RAPL MSRs in KVM/Qemu Anthony Harivel
2024-01-29 19:29 ` Daniel P. Berrangé
2024-02-20 14:00 ` Anthony Harivel
2024-02-20 15:00 ` Daniel P. Berrangé
2024-03-05 14:58 ` Anthony Harivel
2024-01-30 9:13 ` Daniel P. Berrangé
2024-03-04 14:41 ` Anthony Harivel
2024-03-04 14:48 ` Daniel P. Berrangé
2024-03-05 13:25 ` Anthony Harivel
2024-03-05 13:57 ` Daniel P. Berrangé
2024-01-30 9:39 ` Daniel P. Berrangé
2024-03-12 11:21 ` Anthony Harivel
2024-03-12 15:49 ` Daniel P. Berrangé
2024-03-13 10:48 ` Anthony Harivel
2024-03-13 11:04 ` Daniel P. Berrangé
2024-03-14 8:26 ` Anthony Harivel
2024-03-14 8:55 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZbgCUpVTYg9VU4b-@redhat.com \
--to=berrange@redhat.com \
--cc=aharivel@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vchundur@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).