All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Durrant <Paul.Durrant@citrix.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: Anthony Perard <anthony.perard@citrix.com>,
	Ian Jackson <Ian.Jackson@citrix.com>,
	Wei Liu <wei.liu2@citrix.com>,
	George Dunlap <George.Dunlap@citrix.com>
Subject: Re: [PATCH v4 4/6] tools/dm_restrict: Unshare mount and IPC namespaces on Linux
Date: Tue, 6 Nov 2018 09:16:35 +0000	[thread overview]
Message-ID: <48cdd789994e421faaf825a7d9b50aa0@AMSPEX02CL03.citrite.net> (raw)
In-Reply-To: <20181105180711.20322-4-george.dunlap@citrix.com>



> -----Original Message-----
> From: Xen-devel [mailto:xen-devel-bounces@lists.xenproject.org] On Behalf
> Of George Dunlap
> Sent: 05 November 2018 18:07
> To: xen-devel@lists.xenproject.org
> Cc: Anthony Perard <anthony.perard@citrix.com>; Ian Jackson
> <Ian.Jackson@citrix.com>; Wei Liu <wei.liu2@citrix.com>; George Dunlap
> <George.Dunlap@citrix.com>
> Subject: [Xen-devel] [PATCH v4 4/6] tools/dm_restrict: Unshare mount and
> IPC namespaces on Linux
> 
> QEMU running under Xen doesn't need mount or IPC functionality.
> Create and enter separate namespaces for each of these before
> executing QEMU, so that in the event that other restrictions fail, the
> process won't be able to even name system mount points or exsting
> non-file-based IPC descriptors to attempt to attack them.
> 
> Unsharing is something a process can only do to itself (it would
> seem); so add an os-specific "dm_preexec_restrict()" hook just before
> we exec() the device model.
> 
> Also add checks to depriv-process-checker.sh to verify that dm is
> running in a new namespace (or at least, a different one than the
> caller).
> 
> Suggested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
> ---
> Changes since v3:
> - Fix some more style issues
> 
> Changes since v2:
> - Return an error rather than calling exit()
> - Use LOGE() and print to the current stderr fd, rather than
>   printing to the new stderr fd via write()
> - Use r for external return values rather than rc.
> 
> CC: Ian Jackson <ian.jackson@citrix.com>
> CC: Wei Liu <wei.liu2@citrix.com>
> CC: Anthony Perard <anthony.perard@citrix.com>
> ---
>  docs/designs/qemu-deprivilege.md | 12 ++++++------
>  tools/libxl/libxl_dm.c           |  5 +++++
>  tools/libxl/libxl_freebsd.c      |  5 +++++
>  tools/libxl/libxl_internal.h     |  5 +++++
>  tools/libxl/libxl_linux.c        | 14 ++++++++++++++
>  tools/libxl/libxl_netbsd.c       |  5 +++++
>  6 files changed, 40 insertions(+), 6 deletions(-)
> 
> diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-
> deprivilege.md
> index 0395bbbb40..a461ebbadd 100644
> --- a/docs/designs/qemu-deprivilege.md
> +++ b/docs/designs/qemu-deprivilege.md
> @@ -78,12 +78,6 @@ Then adds the following to the qemu command-line:
> 
>  '''Tested''': Not tested
> 
> -## Restrictions / improvements still to do
> -
> -This lists potential restrictions still to do.  It is meant to be
> -listed in order of ease of implementation, with low-hanging fruit
> -first.
> -
>  ## Namespaces for unused functionality (Linux only)
> 
>  '''Description''': QEMU doesn't use the functionality associated with
> @@ -111,6 +105,12 @@ call:
> 
>  [qemu-namespaces]: https://lists.gnu.org/archive/html/qemu-devel/2017-
> 10/msg04723.html
> 
> +# Restrictions / improvements still to do
> +
> +This lists potential restrictions still to do.  It is meant to be
> +listed in order of ease of implementation, with low-hanging fruit
> +first.
> +
>  ### Basic RLIMITs
> 
>  '''Description''': A number of limits on the resources that a given
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index ad3efcc783..278cfd6e6e 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -2393,6 +2393,11 @@ retry_transaction:
>          goto out_close;
>      if (!rc) { /* inner child */
>          setsid();
> +        if (libxl_defbool_val(b_info->dm_restrict)) {
> +            rc = libxl__local_dm_preexec_restrict(gc);
> +            if (rc)
> +                _exit(-1);
> +        }
>          libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs);
>      }
> 
> diff --git a/tools/libxl/libxl_freebsd.c b/tools/libxl/libxl_freebsd.c
> index 6442ccec72..f7ef4a8910 100644
> --- a/tools/libxl/libxl_freebsd.c
> +++ b/tools/libxl/libxl_freebsd.c
> @@ -245,3 +245,8 @@ int libxl__pci_topology_init(libxl__gc *gc,
>  {
>      return ERROR_NI;
>  }
> +
> +int libxl__local_dm_preexec_restrict(libxl__gc *gc)
> +{
> +    return 0;
> +}
> diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
> index ff889385fe..e498435e16 100644
> --- a/tools/libxl/libxl_internal.h
> +++ b/tools/libxl/libxl_internal.h
> @@ -3774,6 +3774,11 @@ struct libxl__dm_spawn_state {
> 
>  _hidden void libxl__spawn_local_dm(libxl__egc *egc,
> libxl__dm_spawn_state*);
> 
> +/*
> + * Called after forking but before executing the local devicemodel.
> + */
> +_hidden int libxl__local_dm_preexec_restrict(libxl__gc *gc);
> +
>  /* Stubdom device models. */
> 
>  typedef struct {
> diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c
> index 6ef0abc693..c7a345f4bb 100644
> --- a/tools/libxl/libxl_linux.c
> +++ b/tools/libxl/libxl_linux.c
> @@ -307,6 +307,20 @@ int libxl__pci_topology_init(libxl__gc *gc,
>      return err;
>  }
> 
> +int libxl__local_dm_preexec_restrict(libxl__gc *gc)
> +{
> +    int r;
> +
> +    /* Unshare mount and IPC namespaces.  These are unused by QEMU. */
> +    r = unshare(CLONE_NEWNS | CLONE_NEWIPC);
> +    if (r) {
> +        LOGE(ERROR, "libxl: Mount and IPC namespace unfailed");
> +        return ERROR_FAIL;
> +    }
> +
> +    return 0;
> +}
> +
>  /*
>   * Local variables:
>   * mode: C
> diff --git a/tools/libxl/libxl_netbsd.c b/tools/libxl/libxl_netbsd.c
> index 2edfb00641..dce3f1fdce 100644
> --- a/tools/libxl/libxl_netbsd.c
> +++ b/tools/libxl/libxl_netbsd.c
> @@ -124,3 +124,8 @@ int libxl__pci_topology_init(libxl__gc *gc,
>  {
>      return ERROR_NI;
>  }
> +
> +void libxl__local_dm_preexec_restrict(libxl__gc *gc, int stderrfd)
> +{
> +    return;
> +}

This is a void function whereas the caller always appears to expect an int return value, regardless of OS.

  Paul

> --
> 2.19.1
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xenproject.org
> https://lists.xenproject.org/mailman/listinfo/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  reply	other threads:[~2018-11-06  9:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-05 18:07 [PATCH v4 1/6] docs/qemu-deprivilege: Revise and update with status and future plans George Dunlap
2018-11-05 18:07 ` [PATCH v4 2/6] SUPPORT.md: Add qemu-depriv section George Dunlap
2018-11-06  9:08   ` Paul Durrant
2018-11-06 12:14     ` George Dunlap
2018-11-06 11:50   ` Ian Jackson
2018-11-05 18:07 ` [PATCH v4 3/6] tools/dm_restrict: Ask QEMU to chroot George Dunlap
2018-11-06  9:14   ` Paul Durrant
2018-11-06 10:28     ` George Dunlap
2018-11-06 10:53       ` Paul Durrant
2018-11-06 11:11         ` Anthony PERARD
2018-11-06 11:12           ` Paul Durrant
2018-11-05 18:07 ` [PATCH v4 4/6] tools/dm_restrict: Unshare mount and IPC namespaces on Linux George Dunlap
2018-11-06  9:16   ` Paul Durrant [this message]
2018-11-06 10:29     ` George Dunlap
2018-11-05 18:07 ` [PATCH v4 5/6] tools/dm_depriv: Add first cut RLIMITs George Dunlap
2018-11-06  9:22   ` Paul Durrant
2018-11-06 10:39     ` George Dunlap
2018-11-06 11:52   ` Ian Jackson
2018-11-05 18:07 ` [PATCH v4 6/6] RFC: test/depriv: Add a tool to check process-level depriv George Dunlap
2018-11-06  9:34   ` Paul Durrant
2018-11-06 10:43     ` George Dunlap
2018-11-05 18:08 ` [PATCH v4 1/6] docs/qemu-deprivilege: Revise and update with status and future plans George Dunlap
2018-11-06  9:07 ` Paul Durrant
2018-11-06 11:06   ` Anthony PERARD
2018-11-06 11:50 ` Ian Jackson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48cdd789994e421faaf825a7d9b50aa0@AMSPEX02CL03.citrite.net \
    --to=paul.durrant@citrix.com \
    --cc=George.Dunlap@citrix.com \
    --cc=Ian.Jackson@citrix.com \
    --cc=anthony.perard@citrix.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.