From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:43463)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SRQdU-00033R-2t
	for qemu-devel@nongnu.org; Mon, 07 May 2012 12:18:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SRQdN-0007ox-GP
	for qemu-devel@nongnu.org; Mon, 07 May 2012 12:18:07 -0400
Received: from e4.ny.us.ibm.com ([32.97.182.144]:38635)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <coreyb@linux.vnet.ibm.com>) id 1SRQdN-0007oI-Br
	for qemu-devel@nongnu.org; Mon, 07 May 2012 12:18:01 -0400
Received: from /spool/local
	by e4.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only!
	Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <coreyb@linux.vnet.ibm.com>;
	Mon, 7 May 2012 12:17:50 -0400
Received: from d01relay01.pok.ibm.com (d01relay01.pok.ibm.com [9.56.227.233])
	by d01dlp01.pok.ibm.com (Postfix) with ESMTP id 1C4FC38C80A3
	for <qemu-devel@nongnu.org>; Mon,  7 May 2012 12:10:38 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216])
	by d01relay01.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	q47GAbS1126082
	for <qemu-devel@nongnu.org>; Mon, 7 May 2012 12:10:37 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1])
	by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	q47GAbMQ014142
	for <qemu-devel@nongnu.org>; Mon, 7 May 2012 13:10:37 -0300
Message-ID: <4FA7F3FA.40306@linux.vnet.ibm.com>
Date: Mon, 07 May 2012 12:10:34 -0400
From: Corey Bryant <coreyb@linux.vnet.ibm.com>
MIME-Version: 1.0
References: <1335886307-27586-1-git-send-email-stefanha@linux.vnet.ibm.com>
	<4FA046C6.5080909@us.ibm.com> <4FA0598E.1040408@linux.vnet.ibm.com>
	<4FA05B63.3090301@codemonkey.ws> <4FA0608A.7070800@redhat.com>
In-Reply-To: <4FA0608A.7070800@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [libvirt] [RFC 0/5] block: File descriptor passing
 using -open-hook-fd
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>, libvir-list@redhat.com, qemu-devel@nongnu.org, Anthony Liguori <anthony@codemonkey.ws>



On 05/01/2012 06:15 PM, Eric Blake wrote:
> On 05/01/2012 03:53 PM, Anthony Liguori wrote:
>
>>> I think (correct me if I'm wrong) libvirt should be aware of any file
>>> that qemu
>>> asks it to open. So from a security point of view, libvirt can prevent
>>> opening a
>>> file if it isn't affiliated with the guest.
>>
>> Right, libvirt can maintain a whitelist of files QEMU is allowed to open
>> (which is already has because it needs to label these files).
>
> Indeed.
>
>>   The only
>> complexity is that it's not a straight strcmp().  The path needs to be
>> (carefully) broken into components with '.' and '..' handled
>> appropriately.  But this shouldn't be that difficult to do.
>
> Libvirt would probably canonicalize path names, both when sticking them
> in the whitelist, and in validating the requests from qemu - agreed that
> it's not difficult.
>
> More importantly, libvirt needs to start tracking the backing chain of
> any qcow2 or qed file as part of the domain XML; and operations like
> 'block-stream' would update not only the chain, but also the whitelist.
>   In the drive-reopen case, this means that libvirt would have to be
> careful when to change labeling - provide access to the new files before
> drive-reopen, then revoke access to files after drive-reopen completes.
>   In other words, having the -open-hook-fd client pass a command to
> libvirt at the time it is closing an fd would help libvirt know when
> qemu has quit using a file, which might make it easier to revoke SELinux
> labels at that time.
>

If we were to go with this approach, I think the following updates would 
be required for libvirt.  Could you let me know if I'm missing anything?

libvirt tasks:
- Introduce a data structure to store file whitelist per guest
- Add -open-hook-fd option to QEMU command line and pass Unix
   domain socket fd to QEMU
- Create open() handler that handles requests from QEMU to open
   files and passes back fd
- Potentially also handle close requests from QEMU?  Would allow
   libvirt to update XML and whitelist (as well as SELinux labels).
- Canonicalize path names when putting them in whitelist and
   when validating requests from QEMU
- XML updates to track backing chain of qcow2 and qed files
- Update whitelist and XML chain when QEMU monitor commands are
   used to open new files: block-stream, drive-reopen, drive_add,
   savevm, snapshot_blkdev, change

Updates would also be required for SELinux and AppArmor policy to allow 
libvirt open of NFS files, and allow QEMU read/write (no open allowed) 
of NFS Files.

-- 
Regards,
Corey