| Message ID | 87ty4btosa.fsf@linux.vnet.ibm.com |
|---|---|
| State | New |
| Headers | show |
On 01/04/2012 10:28 AM, Aneesh Kumar K.V wrote: > > The following changes since commit f3c6a169a39d188e98c17a0a0ebfa7f85e5aafdd: > > Merge remote-tracking branch 'qemu-kvm/memory/page_desc' into staging (2012-01-03 14:39:05 -0600) > > are available in the git repository at: > > > git://github.com/kvaneesh/QEMU.git for-upstream > > Also available at signed tag virtfs-proxy-support > > > for you to fetch changes up to 84a87cc4cc77f9e6829e20726f00646afe12deed: > > hw/9pfs: Add support to use named socket for proxy FS (2012-01-04 21:23:55 +0530) Pulled. Thanks. Regards, Anthony Liguori > > ---------------------------------------------------------------- > Pass-through security model in QEMU 9p server needs root privilege to do > few file operations (like chown, chmod to any mode/uid:gid). There are two > issues in pass-through security model > > 1) TOCTTOU vulnerability: Following symbolic links in the server could > provide access to files beyond 9p export path. > > 2) Running QEMU with root privilege could be a security issue. > > To overcome above issues, following approach is used: A new filesytem > type 'proxy' is introduced. Proxy FS uses chroot + socket combination > for securing the vulnerability known with following symbolic links. > Intention of adding a new filesystem type is to allow qemu to run > in non-root mode, but doing privileged operations using socket IO. > > Proxy helper(a stand alone binary part of qemu) is invoked with > root privileges. Proxy helper chroots into 9p export path and creates > a socket pair or a named socket based on the command line parameter. > Qemu and proxy helper communicate using this socket. QEMU proxy fs > driver sends filesystem request to proxy helper and receives the > response from it. > > Proxy helper is designed so that it can drop the root privilege but > retaining capbilities that are needed for doing filesystem operations > (like CAP_DAC_OVERRIDE, CAP_FOWNER etc) > > ---------------------------------------------------------------- > Aneesh Kumar K.V (1): > hw/9pfs: Move opt validation to FsDriver callback > > M. Mohan Kumar (13): > hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file > hw/9pfs: Add validation to {un}marshal code > hw/9pfs: Add new proxy filesystem driver > hw/9pfs: File system helper process for qemu 9p proxy FS > hw/9pfs: Open and create files > hw/9pfs: Create other filesystem objects > hw/9pfs: Add stat/readlink/statfs for proxy FS > hw/9pfs: File ownership and others > hw/9pfs: xattr interfaces in proxy filesystem driver > hw/9pfs: Proxy getversion > hw/9pfs: Documentation changes related to proxy fs > hw/9pfs: man page for proxy helper > hw/9pfs: Add support to use named socket for proxy FS > > Makefile | 15 +- > Makefile.objs | 3 +- > configure | 19 + > fsdev/file-op-9p.h | 17 +- > fsdev/qemu-fsdev.c | 45 +-- > fsdev/qemu-fsdev.h | 11 +- > fsdev/virtfs-proxy-helper.c | 1120 +++++++++++++++++++++++++++++++++++++ > fsdev/virtfs-proxy-helper.texi | 63 +++ > fsdev/virtio-9p-marshal.c | 323 +++++++++++ > fsdev/virtio-9p-marshal.h | 90 +++ > hw/9pfs/virtio-9p-device.c | 13 +- > hw/9pfs/virtio-9p-handle.c | 20 + > hw/9pfs/virtio-9p-local.c | 34 ++ > hw/9pfs/virtio-9p-proxy.c | 1210 ++++++++++++++++++++++++++++++++++++++++ > hw/9pfs/virtio-9p-proxy.h | 95 ++++ > hw/9pfs/virtio-9p.c | 704 +++++++++++------------ > hw/9pfs/virtio-9p.h | 83 +--- > qemu-config.c | 13 + > qemu-options.hx | 32 +- > vl.c | 18 +- > 20 files changed, 3414 insertions(+), 514 deletions(-) > create mode 100644 fsdev/virtfs-proxy-helper.c > create mode 100644 fsdev/virtfs-proxy-helper.texi > create mode 100644 fsdev/virtio-9p-marshal.c > create mode 100644 fsdev/virtio-9p-marshal.h > create mode 100644 hw/9pfs/virtio-9p-proxy.c > create mode 100644 hw/9pfs/virtio-9p-proxy.h > > >
The following changes since commit f3c6a169a39d188e98c17a0a0ebfa7f85e5aafdd: Merge remote-tracking branch 'qemu-kvm/memory/page_desc' into staging (2012-01-03 14:39:05 -0600) are available in the git repository at: git://github.com/kvaneesh/QEMU.git for-upstream Also available at signed tag virtfs-proxy-support for you to fetch changes up to 84a87cc4cc77f9e6829e20726f00646afe12deed: hw/9pfs: Add support to use named socket for proxy FS (2012-01-04 21:23:55 +0530) ---------------------------------------------------------------- Pass-through security model in QEMU 9p server needs root privilege to do few file operations (like chown, chmod to any mode/uid:gid). There are two issues in pass-through security model 1) TOCTTOU vulnerability: Following symbolic links in the server could provide access to files beyond 9p export path. 2) Running QEMU with root privilege could be a security issue. To overcome above issues, following approach is used: A new filesytem type 'proxy' is introduced. Proxy FS uses chroot + socket combination for securing the vulnerability known with following symbolic links. Intention of adding a new filesystem type is to allow qemu to run in non-root mode, but doing privileged operations using socket IO. Proxy helper(a stand alone binary part of qemu) is invoked with root privileges. Proxy helper chroots into 9p export path and creates a socket pair or a named socket based on the command line parameter. Qemu and proxy helper communicate using this socket. QEMU proxy fs driver sends filesystem request to proxy helper and receives the response from it. Proxy helper is designed so that it can drop the root privilege but retaining capbilities that are needed for doing filesystem operations (like CAP_DAC_OVERRIDE, CAP_FOWNER etc) ---------------------------------------------------------------- Aneesh Kumar K.V (1): hw/9pfs: Move opt validation to FsDriver callback M. Mohan Kumar (13): hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file hw/9pfs: Add validation to {un}marshal code hw/9pfs: Add new proxy filesystem driver hw/9pfs: File system helper process for qemu 9p proxy FS hw/9pfs: Open and create files hw/9pfs: Create other filesystem objects hw/9pfs: Add stat/readlink/statfs for proxy FS hw/9pfs: File ownership and others hw/9pfs: xattr interfaces in proxy filesystem driver hw/9pfs: Proxy getversion hw/9pfs: Documentation changes related to proxy fs hw/9pfs: man page for proxy helper hw/9pfs: Add support to use named socket for proxy FS Makefile | 15 +- Makefile.objs | 3 +- configure | 19 + fsdev/file-op-9p.h | 17 +- fsdev/qemu-fsdev.c | 45 +-- fsdev/qemu-fsdev.h | 11 +- fsdev/virtfs-proxy-helper.c | 1120 +++++++++++++++++++++++++++++++++++++ fsdev/virtfs-proxy-helper.texi | 63 +++ fsdev/virtio-9p-marshal.c | 323 +++++++++++ fsdev/virtio-9p-marshal.h | 90 +++ hw/9pfs/virtio-9p-device.c | 13 +- hw/9pfs/virtio-9p-handle.c | 20 + hw/9pfs/virtio-9p-local.c | 34 ++ hw/9pfs/virtio-9p-proxy.c | 1210 ++++++++++++++++++++++++++++++++++++++++ hw/9pfs/virtio-9p-proxy.h | 95 ++++ hw/9pfs/virtio-9p.c | 704 +++++++++++------------ hw/9pfs/virtio-9p.h | 83 +--- qemu-config.c | 13 + qemu-options.hx | 32 +- vl.c | 18 +- 20 files changed, 3414 insertions(+), 514 deletions(-) create mode 100644 fsdev/virtfs-proxy-helper.c create mode 100644 fsdev/virtfs-proxy-helper.texi create mode 100644 fsdev/virtio-9p-marshal.c create mode 100644 fsdev/virtio-9p-marshal.h create mode 100644 hw/9pfs/virtio-9p-proxy.c create mode 100644 hw/9pfs/virtio-9p-proxy.h