qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/3] tools: build qemu-vmsr-helper

From: Daniel P . Berrangé
Subject: Re: [PATCH v3 2/3] tools: build qemu-vmsr-helper
Date: Mon, 29 Jan 2024 19:45:51 +0000
User-agent: Mutt/2.2.12 (2023-09-09) 
On Mon, Jan 29, 2024 at 08:33:21PM +0100, Paolo Bonzini wrote:
> On Mon, Jan 29, 2024 at 7:53 PM Daniel P. Berrangé <berrange@redhat.com> 
> wrote:
> > > diff --git a/meson.build b/meson.build
> > > index d0329966f1b4..93fc233b0891 100644
> > > --- a/meson.build
> > > +++ b/meson.build
> > > @@ -4015,6 +4015,11 @@ if have_tools
> > >                 dependencies: [authz, crypto, io, qom, qemuutil,
> > >                                libcap_ng, mpathpersist],
> > >                 install: true)
> > > +
> > > +    executable('qemu-vmsr-helper', 
> > > files('tools/i386/qemu-vmsr-helper.c'),
> >
> > I'd suggest 'tools/x86/' since this works fine on 64-bit too
> 
> QEMU tends to use i386 in the source to mean both 32- and 64-bit.

One day we should rename that to x86 too :-)

> > You never answered my question from the previous posting of this
> >
> > This check is merely validating the the thread ID in the message
> > is a child of the process ID connected to the socket. Any process
> > on the entire host can satisfy this requirement.
> >
> > I don't see what is limiting this to only QEMU as claimed by the
> > commit message, unless you're expecting the UNIX socket permissions
> > to be such that only processes under the qemu:qemu user:group pair
> > can access to the socket ? That would be a libvirt based permissions
> > assumption though.
> 
> Yes, this is why the systemd socket uses 600, like
> contrib/systemd/qemu-pr-helper.socket. The socket can be passed via
> SCM_RIGHTS by libvirt, or its permissions can be changed (e.g. 660 and
> root:kvm would make sense on a Debian system), or a separate helper
> can be started by libvirt.
> 
> Either way, the policy is left to the user rather than embedding it in
> the provided systemd unit.

Ok, this code needs a comment to explain that we're relying on
socket permissions to control who/what can access the daemon,
combined with this PID+TID check to validate it is not spoofing
its identity, as without context the TID check looks pointless.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]