On Fri, Jun 24, 2011 at 11:22 AM, M. Mohan Kumar <mo...@in.ibm.com> wrote: > In passthrough security model, following symbolic links in the server > side could result in TOCTTOU vulnerabilities. > (http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use) > > This patchset resolves this issue by creating a dedicated process which > chroots into the share path and all file object access is done in the > chroot environment. > > This patchset implements chroot enviroment, provides necessary functions > that can be used by the passthrough function calls.
This could be interesting also for privilege separation. A helper process like this could access and reopen the image files etc. while the rest of QEMU could run in a jail. > This patchset is rebased on top of 9p coroutines patches posted to > qemu-devel list > http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg02796.html Aren't the coroutines running in same process, so don't they share the root? Also the coroutines are implemented in several OS dependent ways. > Changes from version V10: > * Added support to do lstat and readlink from chroot process > * Fixed an issue with dealing fds when qemu process reached maxfds limit > > Changes from version V9: > * Error handling in special file object creation in virtio-9p-local.c > > Changes from version V8: > * Make chmod and chown also operate under chroot process > * Check for invalid path requests, minor cleanups > > Changes from version V7: > * Add two chroot methods remove and rename > * Minor cleanups like consolidating functions > > Changes from version V6: > * Send only fd/errno in socket operations instead of FdInfo structure > * Minor cleanups > > Changes from version V5: > * Return errno on failure instead of setting errno > * Minor cleanups like updated comments, enable CONFIG_THREAD if > CONFIG_VIRTFS is enabled > > Changes from version V4: > * Avoid using malloc/free inside chroot process > * Seperate chroot server and client functions > > Changes from version V3 > * Return EIO incase of socket read/write fail instead of exiting > * Changed data types as suggested by Blue Swirl > * Chroot process reports error through qemu process > > Changes from version V2 > * Treat socket IO errors as fatal, ie qemu will exit > * Split patchset based on chroot side (server) and qemu side(client) > functionalities > > M. Mohan Kumar (15): > Implement qemu_read_full > virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled > virtio-9p: Provide chroot worker side interfaces > virtio-9p: Add qemu side interfaces for chroot environment > virtio-9p: Add support to open a file in chroot environment > virtio-9p: Create support in chroot environment > virtio-9p: Support for creating special files > virtio-9p: Add support for removing file or directory > virtio-9p: Add support to rename > virtio-9p: Move file post creation changes to none security model > virtio-9p: Add support for chmod > virtio-9p: Add support for chown > virtio-9p: Chroot environment for other functions > virtio-9p: Add stat functionality to chroot > virtio-9p: Add readlink support to chroot > > Makefile.objs | 1 + > configure | 1 + > fsdev/file-op-9p.h | 3 + > hw/9pfs/virtio-9p-chroot-worker.c | 418 > +++++++++++++++++++++++++++++++++++++ > hw/9pfs/virtio-9p-chroot.c | 174 +++++++++++++++ > hw/9pfs/virtio-9p-chroot.h | 54 +++++ > hw/9pfs/virtio-9p-device.c | 24 ++ > hw/9pfs/virtio-9p-local.c | 248 ++++++++++++++++++---- > osdep.c | 32 +++ > qemu-common.h | 2 + > 10 files changed, 910 insertions(+), 47 deletions(-) > create mode 100644 hw/9pfs/virtio-9p-chroot-worker.c > create mode 100644 hw/9pfs/virtio-9p-chroot.c > create mode 100644 hw/9pfs/virtio-9p-chroot.h > > -- > 1.7.5.1 > > >
