All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: Will Cohen <wwcohen@gmail.com>
Cc: qemu-devel@nongnu.org, qemu-stable@nongnu.org,
	Greg Kurz <groug@kaod.org>,
	 Keno Fischer <keno@juliacomputing.com>,
	Michael Roitzsch <reactorcontrol@icloud.com>,
	Akihiko Odaki <akihiko.odaki@gmail.com>
Subject: Re: [PATCH v2 2/5] 9pfs: fix qemu_mknodat(S_IFSOCK) on macOS
Date: Wed, 27 Apr 2022 20:16:26 +0200	[thread overview]
Message-ID: <2537696.GXuhJ82tfg@silver> (raw)
In-Reply-To: <CAB26zV1Lpgp-LZ=EXcONHAVOnrPbB5ZYEucA4q5ftgrsXfuSmA@mail.gmail.com>

On Mittwoch, 27. April 2022 19:12:15 CEST Will Cohen wrote:
> On Wed, Apr 27, 2022 at 12:18 PM Christian Schoenebeck <
> 
> qemu_oss@crudebyte.com> wrote:
> > On Mittwoch, 27. April 2022 15:31:42 CEST Greg Kurz wrote:
> > > On Wed, 27 Apr 2022 14:32:53 +0200
> > > 
> > > Christian Schoenebeck <qemu_oss@crudebyte.com> wrote:
> > > > On Mittwoch, 27. April 2022 12:18:10 CEST Greg Kurz wrote:
> > > > > On Wed, 27 Apr 2022 11:27:28 +0900
> > > > > 
> > > > > Akihiko Odaki <akihiko.odaki@gmail.com> wrote:
> > > > > > On 2022/04/26 21:38, Greg Kurz wrote:
> > [...]
> > 
> > > > > > Considering the transient states are tolerated in 9pfs, we need to
> > > > > > design this function to be tolerant with transient states as well.
> > 
> > The
> > 
> > > > > > use of chmod() is not safe when we consider about transient
> > 
> > states. A
> > 
> > > > > > malicious actor may replace the file at the path with a symlink
> > 
> > which
> > 
> > > > > > may escape the shared directory and chmod() will naively follow
> > > > > > it.
> > > > > 
> > > > > You get a point here. Thanks for your tenacity ! :-)
> > > > 
> > > > Yep, I send a v4 with fchmodat_nofollow() instead of chmod(), thanks!
> > > > 
> > > > BTW, why is it actually allowed for client to create a symlink
> > > > pointing
> > > > outside exported directory tree with security_model=passthrough/none?
> > 
> > Did
> > 
> > > > anybody want that?
> > > 
> > > The target argument to symlink() is merely a string that is stored in
> > > the inode. It is only evaluated as a path at the time an action is
> > > made on the link. Checking at symlink() time is thus useless.
> > > 
> > > Anyway, we're safe on this side since it's the client's job to
> > > resolve links and we explicitly don't follow them in the server.
> > 
> > I wouldn't call it useless, because it is easier to keep exactly 1 hole
> > stuffed instead of being forced to continuously stuff N holes as new ones
> > may
> > popup up over time, as this case shows (mea culpa).
> > 
> > So you are trading (probably minor) performance for security.
> > 
> > But my question was actually meant seriously: whether there was anybody in
> > the
> > past who probably actually wanted to create relative symlinks outside the
> > exported tree. For instance for another service with wider host filesystem
> > access.
> 
> For what it's worth, the inability to follow symlinks read-write outside of
> the tree appears to be, at the moment, the primary pain point for new users
> of 9pfs in containerization software (see the later comments in
> https://github.com/lima-vm/lima/pull/726 and to a lesser extent
> https://github.com/containers/podman/issues/13784).
> 
> To my knowledge, neither podman nor lima have come up with conclusive
> preferred solutions for how to address this, much less had a robust
> discussion with the QEMU team.
> The lima discussion notes that it works read-only with passthrough/none, so
> I'd suggest that if there weren't users of it before, there are now! As I
> understand it, one partial solution for downstream software that allows for
> read-write may just be to more proactively mount larger directories to
> minimize the number of external paths that symlinks might get tripped up
> on. That said, this will stop working when it comes to linking to
> additional mounts, since /Volumes on darwin will never line up with /mnt.

That's a different thing. People in those discussions were using 
security_model=mapped where symlinks on guest are virtually mapped as textual 
file content (try 'cat <symlink>' on host). So in this mode symlinks on host 
and symlinks on guest are intentionally separated from each other.

The issue I was referring to was about security_model=passthrough|none which 
has the exact same symlinks accessible both on host and guest side, and more 
specifically I meant: symlinks created by guest that would point to a location 
*above* the 9p export root. E.g. say guest has access to the following host 
directory via 9p, that is access *below* the following directory on host:

  /vm/foo/

And say guest now mounts that host directory and creates a symlink like:

  mount -t 9p foo /mnt
  cd /mnt
  ln -s ../bar bar

That symlink would now point to /bar from guest's PoV, and to /vm/bar from 
host's PoV (i.e. a location on host where guest should not have access to at 
all).

BTW some of the other issues mentioned in the linked discussion, like the 
timeout errors, are fixed with this patch set.

Best regards,
Christian Schoenebeck




  reply	other threads:[~2022-04-27 18:17 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-21 15:08 [PATCH v2 0/5] 9pfs: macOS host fixes Christian Schoenebeck
2022-04-21 15:07 ` [PATCH v2 1/5] 9pfs: fix qemu_mknodat(S_IFREG) on macOS Christian Schoenebeck
2022-04-21 16:32   ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 2/5] 9pfs: fix qemu_mknodat(S_IFSOCK) " Christian Schoenebeck
2022-04-21 16:36   ` Greg Kurz
2022-04-21 17:29     ` Christian Schoenebeck
2022-04-22  2:43   ` Akihiko Odaki
2022-04-22 14:06     ` Christian Schoenebeck
2022-04-23  4:33       ` Akihiko Odaki
2022-04-24 18:45         ` Christian Schoenebeck
2022-04-26  3:57           ` Akihiko Odaki
2022-04-26 12:38             ` Greg Kurz
2022-04-27  2:27               ` Akihiko Odaki
2022-04-27 10:18                 ` Greg Kurz
2022-04-27 12:32                   ` Christian Schoenebeck
2022-04-27 13:31                     ` Greg Kurz
2022-04-27 16:18                       ` Christian Schoenebeck
2022-04-27 17:12                         ` Will Cohen
2022-04-27 18:16                           ` Christian Schoenebeck [this message]
2022-04-27 17:37                         ` Greg Kurz
2022-04-27 18:36                           ` Christian Schoenebeck
2022-04-21 15:07 ` [PATCH v2 3/5] 9pfs: fix wrong encoding of rdev field in Rgetattr " Christian Schoenebeck
2022-04-21 16:39   ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 4/5] 9pfs: fix wrong errno being sent to Linux client on macOS host Christian Schoenebeck
2022-04-21 16:39   ` Greg Kurz
2022-04-21 15:07 ` [PATCH v2 5/5] 9pfs: fix removing non-existent POSIX ACL xattr " Christian Schoenebeck
2022-04-21 16:40   ` Greg Kurz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2537696.GXuhJ82tfg@silver \
    --to=qemu_oss@crudebyte.com \
    --cc=akihiko.odaki@gmail.com \
    --cc=groug@kaod.org \
    --cc=keno@juliacomputing.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-stable@nongnu.org \
    --cc=reactorcontrol@icloud.com \
    --cc=wwcohen@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.