[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability |
|
Date: |
Thu, 16 Jun 2011 06:16:46 +0100 |
On Wed, Jun 15, 2011 at 7:16 PM, Venkateswararao Jujjuri
<address@hidden> wrote:
> On 06/15/2011 10:35 AM, Stefan Hajnoczi wrote:
>>
>> On Tue, Jun 14, 2011 at 9:12 AM, M. Mohan Kumar<address@hidden> wrote:
>>>
>>> [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
>>>
>>> In passthrough security model, following a symbolic link in the server
>>> side could result in TOCTTOU vulnerability.
>>>
>>> Use clone system call to create a thread which runs in chrooted
>>> environment. All passthrough model file operations are done from this
>>> thread to avoid TOCTTOU vulnerability.
>>
>> How will chroot(2) work when QEMU runs as non-root (i.e. secure
>> production environments)?
>>
> This is used only in passthrough mode; passthrough mode needs root access by
> design.
> There is no TOCTTOU vulnerability in mapped mode as symlinks are not actual
> symlinks on host FS.
So is passthrough mode something you only expect developers and
one-off command-line users to try? I expect users would not want to
run QEMU as root in production.
Regarding mapped mode, I think jailing problems still exist there
since the guest could send a path that contains "../../../../.." and
escape the fs_root?
Stefan