qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism

From: Marc-André Lureau
Subject: Re: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism
Date: Tue, 27 Sep 2016 08:25:08 -0400 (EDT) 
Hi

----- Original Message -----
> On Tue, Sep 27, 2016 at 07:13:55AM -0400, Marc-André Lureau wrote:
> > Hi
> > 
> > ----- Original Message -----
> > > 
> > > > On Sep 27, 2016, at 05:36, Daniel P. Berrange <address@hidden>
> > > > wrote:
> > > > 
> > > > On Tue, Sep 27, 2016 at 03:06:21AM +0000, Rafael David Tinoco wrote:
> > > > We should not have QEMU creating unpredictabile filenames in the
> > > > first place - any filenames should be determined by libvirt
> > > > explicitly.
> > > 
> > > Note that the filename, per se, is not as important as other files,
> > > since qemu won't provide it for being accessed by external programs, and,
> > > deletes the file, while keeping the descriptor, right after its creation
> > > (due to its nature, that is probably why it was created in /tmp).
> > > 
> > > Having libvirt to define a filename that would not be used for recent
> > > kernels (> 3.17) and would exist for a fraction of second doesn't seem
> > > right to me.
> > > 
> > 
> > There are other parts of qemu that rely on creating temporary files, and
> > this seems to lack a bit of uniformity. Would it make sense to define a
> > place where qemu could create those? Or setting TMPDIR should help too.
> > Could libvirt set a per-vm TMPDIR with appropriate security rules?
> 
> The other places that use mkstemp are block for snapshot=on, which
> libvirt does not support as we want control over the filename. This
> needs fixing by allowing a filename to be given. The qemu sockets code
> uses it for auto-creating a UNIX domain socket path, but again libvirt
> doesn't support that usage. The exec.c file uses it, but that honours
> an explicit directory path provided on the command line. So this memfd
> code really is the first place which is causing a real

Have you reviewed the hundreds of libraries qemu link to? :)

> Just setting TMPDIR per VM doesn't magically solve all these cases as
> it isn't reasonable to assume that all these files should be in the
> same location. Certainly block snapshot file will be somewhere different
> from others, due to its size.

I am not claiming it solves all problems, but at least it seems it would be 
quite appropriate for security concerns to have per-vm TMPDIR.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]