[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthr
From: |
M. Mohan Kumar |
Subject: |
[Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model |
Date: |
Mon, 5 Sep 2011 21:48:21 +0530 |
In passthrough security model, following symbolic links in the server
side could result in TOCTTOU vulnerabilities.
(http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use)
This patchset resolves this issue by creating a dedicated process which
chroots into the share path and all file object access are done in the
chroot environment.
This patchset implements chroot environment, provides necessary functions
that can be used by the passthrough function calls.
Qemu need to be invoked by root user for using virtfs with passthrough
security model (i.e to use chroot() syscall).
Question is: Is running qemu by root user expected and allowed? Some of the
virtfs features can be utilized only if qemu is started by root user (for
example passthrough security model and handle based file driver need root
privilege).
This issue can be resolved by root user starting qemu and spawning a process
with root privilege to do all privileged operations there and main qemu
process dropping its privileges to avoid any security issue in running qemu in
root mode. Privileged operations can be done similar to the chroot patchset.
But how to determine to which user-id(ie non root user id) qemu needs to drop
the privileges? Do we have a common user-id across all distributions/systems
to which qemu process can be dropped down? Also it becomes too complex i.e when
a new feature needing root privilege is added, a process with root privilege
needs to be created to handle this.
So is it allowed to run qemu by root user? If no, is it okay to add the
complexity of adding a root privilege process for each feature that needs root
privilege?
Changes from version V11:
* Rebased on top of latest qemu tree
* Moved chroot process creation into local_init function
* g_malloc/g_free instead qemu_malloc/g_free
* Rename qemu_recv function to chroot_recv
Changes from version V10:
* Added support to do lstat and readlink from chroot process
* Fixed an issue with dealing fds when qemu process reached maxfds limit
Changes from version V9:
* Error handling in special file object creation in virtio-9p-local.c
Changes from version V8:
* Make chmod and chown also operate under chroot process
* Check for invalid path requests, minor cleanups
Changes from version V7:
* Add two chroot methods remove and rename
* Minor cleanups like consolidating functions
Changes from version V6:
* Send only fd/errno in socket operations instead of FdInfo structure
* Minor cleanups
Changes from version V5:
* Return errno on failure instead of setting errno
* Minor cleanups like updated comments, enable CONFIG_THREAD if
CONFIG_VIRTFS is enabled
Changes from version V4:
* Avoid using malloc/free inside chroot process
* Seperate chroot server and client functions
Changes from version V3
* Return EIO incase of socket read/write fail instead of exiting
* Changed data types as suggested by Blue Swirl
* Chroot process reports error through qemu process
Changes from version V2
* Treat socket IO errors as fatal, ie qemu will exit
* Split patchset based on chroot side (server) and qemu side(client)
functionalities
M. Mohan Kumar (15):
Implement qemu_read_full
virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled
virtio-9p: Provide chroot worker side interfaces
virtio-9p: qemu interfaces for chroot environment
virtio-9p: Support for opening a file in chroot environment
virtio-9p: Create support in chroot environment
virtio-9p: Creating special files in chroot environment
virtio-9p: Removing file or directory in chroot environment
virtio-9p: Rename in chroot environment
virtio-9p: Move file post creation changes to none security model
virtio-9p: chmod in chroot environment
virtio-9p: chown in chroot environment
virtio-9p: stat in chroot environment
virtio-9p: readlink in chroot environment
virtio-9p: Chroot environment for other functions
Makefile.objs | 1 +
configure | 1 +
fsdev/file-op-9p.h | 3 +
hw/9pfs/virtio-9p-chroot-worker.c | 413 +++++++++++++++++++++++++++++++++++++
hw/9pfs/virtio-9p-chroot.c | 173 ++++++++++++++++
hw/9pfs/virtio-9p-chroot.h | 54 +++++
hw/9pfs/virtio-9p-device.c | 1 +
hw/9pfs/virtio-9p-local.c | 277 ++++++++++++++++++++-----
osdep.c | 32 +++
qemu-common.h | 2 +
10 files changed, 907 insertions(+), 50 deletions(-)
create mode 100644 hw/9pfs/virtio-9p-chroot-worker.c
create mode 100644 hw/9pfs/virtio-9p-chroot.c
create mode 100644 hw/9pfs/virtio-9p-chroot.h
--
1.7.5.4
- [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model,
M. Mohan Kumar <=
- [Qemu-devel] [PATCH V12 12/15] hw/9pfs: chown in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 08/15] hw/9pfs: Removing file or directory in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 10/15] hw/9pfs: Move file post creation changes to none security model, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 14/15] hw/9pfs: readlink in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 09/15] hw/9pfs: Rename in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 15/15] hw/9pfs: Chroot environment for other functions, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 07/15] hw/9pfs: Creating special files in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 13/15] hw/9pfs: stat in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 11/15] hw/9pfs: chmod in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 04/15] hw/9pfs: qemu interfaces for chroot environment, M. Mohan Kumar, 2011/09/05