[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 3/8] xen: defer call to xen_restrict until just
|
From: |
Ian Jackson |
|
Subject: |
Re: [Qemu-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post |
|
Date: |
Fri, 13 Oct 2017 11:43:51 +0100 |
Ross Lagerwall writes ("Re: [PATCH 3/8] xen: defer call to xen_restrict until
just before os_setup_post"):
> This works for normally starting a VM but doesn't seem to work when
> resuming/migrating.
>
> Here is the order of selected operations when starting a VM normally:
> VNC server running on 127.0.0.1:5901
> xen_change_state_handler()
> xenstore_record_dm_state: running
> xen_setup_post()
> xentoolcore_restrict_all: rc = 0
> os_setup_post()
> main_loop()
>
> Here is the order of selected operations when starting QEMU with
> -incoming fd:... :
> VNC server running on 127.0.0.1:5902
> migration_fd_incoming()
> xen_setup_post()
> xentoolcore_restrict_all: rc = 0
> os_setup_post()
> main_loop()
> migration_set_incoming_channel()
> migrate_set_state()
> xen_change_state_handler()
> xenstore_record_dm_state: running
> error recording dm state
> qemu exited with code 1
>
> The issue is that QEMU needs xenstore access to write "running" but this
> is after it has already been restricted. Moving xen_setup_post() into
> xen_change_state_handler() works fine. The only issue is that in the
> migration case, it executes after os_setup_post() so QEMU might be
> chrooted in which case opening /dev/null to restrict fds doesn't work
> (unless its new root has a /dev/null).
Thanks for the extensive diagnosis.
We do in fact want the restriction to occur before the migration
stream is read. This is because we are trying to defend against a
guest which can exploit a bug in qemu. That means that the sending
qemu must be assumed to be compromised. In this context I don't think
qemu's migration stream receiver can be regarded as hardened against
hostile input; it's far too complicated, even if efforts have been
made in that direction (I haven't checked). So to avoid the receiving
qemu being compromised while still unrestricted, we should restrict
before starting to read the migration stream.
The correct fix is to use a different technique to notify the
toolstack that qemu is up and running. That obviously requires
changes on the Xen tools side. I will look into that for the Xen 4.11
release cycle.
Ian.
- [Qemu-devel] [PATCH v4 0/8] xen: xen-domid-restrict improvements, Ian Jackson, 2017/10/09
- [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Ian Jackson, 2017/10/09
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Ian Jackson, 2017/10/09
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Anthony PERARD, 2017/10/10
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Ian Jackson, 2017/10/10
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Ian Jackson, 2017/10/19
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Anthony PERARD, 2017/10/19
- Re: [Qemu-devel] [PATCH 1/8] xen: link against xentoolcore, Ian Jackson, 2017/10/20
[Qemu-devel] [PATCH 2/8] xen: restrict: use xentoolcore_restrict_all, Ian Jackson, 2017/10/09
[Qemu-devel] [PATCH 5/8] xen: move xc_interface compatibility fallback further up the file, Ian Jackson, 2017/10/09