[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for pas
From: |
M. Mohan Kumar |
Subject: |
Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model |
Date: |
Tue, 13 Sep 2011 11:59:38 +0530 |
User-agent: |
KMail/1.13.7 (Linux/2.6.40-4.fc15.x86_64; KDE/4.6.5; x86_64; ; ) |
> I agree, regardless of libvirt's needs, p9fs needs to be secure for any
> non-root user using QEMU. As non-root I should be able todo
>
> $ qemu -virtfs $HOME/shared
>
> and have strong confidence that symlink attacks can't be used by the
> guest to access other locations nuder $HOME.
>
> > A virtfs feature that needs root therefore needs to be in a separate
> > process. Either QEMU needs to fork or virtfs could use a separate
> > daemon binary.
>
> One other idea I just had is 'fakechroot'. This is basically an LD_PRELOAD
> hack which wraps the C library's native chroot(), open() etc call to do
> chroot in userspace, thus avoiding a need for root privileges.
>
> Either you could just invoke QEMU via fakechroot, enabling your code from
> these patches to be used as non-root. Or we could take the code from the
> fakechroot library and use that directly in the p9fs code to apply the
> path security checks
>
With fakechroot is that I can still do following:
chroot("/etc/cups");
fd = open("../passwd", O_RDONLY);
It does not check access beyond the chroot path. Also in virtio-9p case, a
modified guest kernel can send a symbolic link and that could resolve outside
chroot path.
passthrough security model in virtio-9p needs root privilege not only for
chroot() syscall but also to do chown and chmod on files created by the guest.
So IMHO fakechroot can't be used in this case.
- [Qemu-devel] [PATCH V12 05/15] hw/9pfs: Support for opening a file in chroot environment, (continued)
- [Qemu-devel] [PATCH V12 05/15] hw/9pfs: Support for opening a file in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 02/15] hw/9pfs: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 01/15] Implement qemu_read_full, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 06/15] hw/9pfs: Create support in chroot environment, M. Mohan Kumar, 2011/09/05
- [Qemu-devel] [PATCH V12 03/15] hw/9pfs: Provide chroot worker side interfaces, M. Mohan Kumar, 2011/09/05
- Re: [Qemu-devel] [PATCH V12 00/15] virtio-9p: chroot environment for passthrough security model, Stefan Hajnoczi, 2011/09/06