* [PATCH-for-4.12] docs: Fix dm_restrict documentation
@ 2019-01-24 17:48 George Dunlap
2019-01-25 5:47 ` Juergen Gross
2019-01-25 11:33 ` Wei Liu
0 siblings, 2 replies; 7+ messages in thread
From: George Dunlap @ 2019-01-24 17:48 UTC (permalink / raw)
To: xen-devel
Cc: Anthony Perard, Ian Jackson, Wei Liu, George Dunlap, Juergen Gross
Remove "chatty" and redundant information from the xl man page;
restrict it to functional descriptions only, and point instead to
qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
information.
Add a man page entry for device_model_user.
Update qemu-deprivilege.pandoc:
Changes in missing feature list:
- Migration is functional
- But qdisk backends are not
Add a missing restriction list.
The following statements from the man page are dropped:
- Mentioning PV; PV guests never have a device model.
- Drop the confusing statement about stdvga and cirrus vga options.
- Re-used domain IDs are now handled.
- Device models should no longer be able to create world-readable
files on dom0's filesystem.
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
RFC: I don't know what the 'vga' limitation thing was about -- I tried
both 'default' and 'stgvga' with dm_restrict and they worked fine.
Freeze exception justification:
- Fixing a "bug" in the docs
- No functional change
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Anthony Perard <anthony.perard@citrix.com>
CC: Juergen Gross <jgross@suse.com>
---
docs/features/qemu-deprivilege.pandoc | 12 ++--
docs/man/xl.cfg.5.pod.in | 100 +++-----------------------
2 files changed, 16 insertions(+), 96 deletions(-)
diff --git a/docs/features/qemu-deprivilege.pandoc b/docs/features/qemu-deprivilege.pandoc
index 20d6ac2189..cfe528b1d3 100644
--- a/docs/features/qemu-deprivilege.pandoc
+++ b/docs/features/qemu-deprivilege.pandoc
@@ -110,10 +110,14 @@ See docs/design/qemu-deprivilege.md for technical details.
The following features still need to be implemented:
* Inserting a new cdrom while the guest is running (xl cdrom-insert)
- * Migration / save / restore
-
-dm_restrict is totally unsupported and may have unexpected security
-problems if used with a dom0 Linux kernel earlier than 2.6.18.
+ * Support for qdisk backends
+
+A number of restrictions still need to be implemented. A compromised
+device model may be able to do the following:
+ * Delay or exploit weaknesses in the toolstack
+ * Launch "fork bombs" or other resource exhaustion attacks
+ * Make network connections on the management network
+ * Break out of the restrictions after migration
Additionally, getting PCI passthrough to work securely would require a
significant rework of how passthrough works at the moment. It may be
diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index 3b92f39d8d..ad81af1ed8 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -1316,104 +1316,20 @@ connectors=id0:1920x1080;id1:800x600;id2:640x480
Restrict the device model after startup,
to limit the consequencese of security vulnerabilities in qemu.
-With this feature enabled,
-a compromise of the device model,
-via such a vulnerability,
-will not provide a privilege escalation attack on the whole system.
+See docs/features/qemu-depriv.pandoc for more information
+on Linux and QEMU version requirements, device model user setup,
+and current limitations.
This feature is a B<technology preview>.
-There are some significant limitations:
+See SUPPORT.md for a security support statement.
-=over 4
-
-=item
-
-This is not likely to work at all for PV guests
-nor guests using qdisk backends for their block devices.
-
-=item
-
-You must have a new enough qemu.
-In particular,
-if your qemu does not have the commit
-B<xen: restrict: use xentoolcore_restrict_all>
-the restriction request will be silently ineffective!
-
-=item
-
-The mechanisms used are not effective against
-denial of service problems.
-A compromised qemu can probably still impair
-or perhaps even prevent
-the proper functioning of the whole system,
-(at the very least, but not limited to,
-through resource exhaustion).
-
-=item
-
-It is not known whether the protection is
-effective when a domain is migrated.
-
-=item
-
-Some domain management functions do not work.
-For example, cdrom insert will fail.
-
-=item
+=item B<device_model_user=USERNAME>
-You should say C<vga="none">.
-Domains with stdvga graphics cards to not work.
-Domains with cirrus vga may seem to work.
+When running dm_restrict, run the device model as this user.
-=item
+NOTE: Each domain MUST have a SEPARATE username.
-You must create user(s) for qemu to run as.
-
-Ideally, set aside a range of 32752 uids
-(from N to N+32751)
-and create a user
-whose name is B<xen-qemuuser-range-base>
-and whose uid is N
-and whose gid is a plain unprivileged gid.
-libxl will use one such user for each domid.
-
-Alternatively, either create
-B<xen-qemuuser-domid$domid>
-for every $domid from 1 to 32751 inclusive,
-or
-B<xen-qemuuser-shared>
-(in which case different guests will not
-be protected against each other).
-
-=item
-
-There are no countermeasures taken against reuse
-of the same unix user (uid)
-for subsequent domains,
-even if the B<xen-qemuuser-domid$domid> users are created.
-So a past domain with the same domid may be able to
-interferer with future domains.
-Possibly, even after a reboot.
-
-=item
-
-A compromised qemu will be able to read world-readable
-files in the dom0 operating system.
-
-=item
-
-Because of these limitations, this functionality,
-while it may enhance your security,
-should not be relied on.
-Any further limitations discovered in the current version
-will B<not> be handled via the Xen Project Security Process.
-
-=item
-
-In the future as we enhance this feature to improve the security,
-we may break backward compatibility.
-
-=back
+See docs/features/qemu-depriv.pandoc for more information.
=item B<vsnd=[ VCARD_SPEC, VCARD_SPEC, ... ]>
--
2.20.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-24 17:48 [PATCH-for-4.12] docs: Fix dm_restrict documentation George Dunlap
@ 2019-01-25 5:47 ` Juergen Gross
2019-01-25 11:33 ` Wei Liu
1 sibling, 0 replies; 7+ messages in thread
From: Juergen Gross @ 2019-01-25 5:47 UTC (permalink / raw)
To: George Dunlap, xen-devel; +Cc: Anthony Perard, Ian Jackson, Wei Liu
On 24/01/2019 18:48, George Dunlap wrote:
> Remove "chatty" and redundant information from the xl man page;
> restrict it to functional descriptions only, and point instead to
> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> information.
>
> Add a man page entry for device_model_user.
>
> Update qemu-deprivilege.pandoc:
>
> Changes in missing feature list:
> - Migration is functional
> - But qdisk backends are not
>
> Add a missing restriction list.
>
> The following statements from the man page are dropped:
> - Mentioning PV; PV guests never have a device model.
> - Drop the confusing statement about stdvga and cirrus vga options.
> - Re-used domain IDs are now handled.
> - Device models should no longer be able to create world-readable
> files on dom0's filesystem.
>
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Release-acked-by: Juergen Gross <jgross@suse.com>
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-24 17:48 [PATCH-for-4.12] docs: Fix dm_restrict documentation George Dunlap
2019-01-25 5:47 ` Juergen Gross
@ 2019-01-25 11:33 ` Wei Liu
2019-01-25 14:47 ` George Dunlap
1 sibling, 1 reply; 7+ messages in thread
From: Wei Liu @ 2019-01-25 11:33 UTC (permalink / raw)
To: George Dunlap
Cc: Anthony Perard, xen-devel, Wei Liu, Juergen Gross, Ian Jackson
On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> Remove "chatty" and redundant information from the xl man page;
> restrict it to functional descriptions only, and point instead to
> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> information.
>
> Add a man page entry for device_model_user.
>
> Update qemu-deprivilege.pandoc:
>
> Changes in missing feature list:
> - Migration is functional
> - But qdisk backends are not
>
> Add a missing restriction list.
>
> The following statements from the man page are dropped:
> - Mentioning PV; PV guests never have a device model.
> - Drop the confusing statement about stdvga and cirrus vga options.
> - Re-used domain IDs are now handled.
> - Device models should no longer be able to create world-readable
> files on dom0's filesystem.
>
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> ---
> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> both 'default' and 'stgvga' with dm_restrict and they worked fine.
I think until we figure out the situation of vga, the statement should
stay.
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-25 11:33 ` Wei Liu
@ 2019-01-25 14:47 ` George Dunlap
2019-01-25 16:10 ` Wei Liu
0 siblings, 1 reply; 7+ messages in thread
From: George Dunlap @ 2019-01-25 14:47 UTC (permalink / raw)
To: Wei Liu; +Cc: Anthony Perard, xen-devel, Juergen Gross, Ian Jackson
On 1/25/19 11:33 AM, Wei Liu wrote:
> On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
>> Remove "chatty" and redundant information from the xl man page;
>> restrict it to functional descriptions only, and point instead to
>> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
>> information.
>>
>> Add a man page entry for device_model_user.
>>
>> Update qemu-deprivilege.pandoc:
>>
>> Changes in missing feature list:
>> - Migration is functional
>> - But qdisk backends are not
>>
>> Add a missing restriction list.
>>
>> The following statements from the man page are dropped:
>> - Mentioning PV; PV guests never have a device model.
>> - Drop the confusing statement about stdvga and cirrus vga options.
>> - Re-used domain IDs are now handled.
>> - Device models should no longer be able to create world-readable
>> files on dom0's filesystem.
>>
>> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
>> ---
>> RFC: I don't know what the 'vga' limitation thing was about -- I tried
>> both 'default' and 'stgvga' with dm_restrict and they worked fine.
>
> I think until we figure out the situation of vga, the statement should
> stay.
How would we do that?
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-25 14:47 ` George Dunlap
@ 2019-01-25 16:10 ` Wei Liu
2019-01-25 16:39 ` Anthony PERARD
0 siblings, 1 reply; 7+ messages in thread
From: Wei Liu @ 2019-01-25 16:10 UTC (permalink / raw)
To: George Dunlap
Cc: Anthony Perard, xen-devel, Wei Liu, Juergen Gross, Ian Jackson
On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> On 1/25/19 11:33 AM, Wei Liu wrote:
> > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> >> Remove "chatty" and redundant information from the xl man page;
> >> restrict it to functional descriptions only, and point instead to
> >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> >> information.
> >>
> >> Add a man page entry for device_model_user.
> >>
> >> Update qemu-deprivilege.pandoc:
> >>
> >> Changes in missing feature list:
> >> - Migration is functional
> >> - But qdisk backends are not
> >>
> >> Add a missing restriction list.
> >>
> >> The following statements from the man page are dropped:
> >> - Mentioning PV; PV guests never have a device model.
> >> - Drop the confusing statement about stdvga and cirrus vga options.
> >> - Re-used domain IDs are now handled.
> >> - Device models should no longer be able to create world-readable
> >> files on dom0's filesystem.
> >>
> >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> >> ---
> >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> >
> > I think until we figure out the situation of vga, the statement should
> > stay.
>
> How would we do that?
Per my understanding:
Setting vga option to anything else other than "none" may not work
?
Wei.
>
> -George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-25 16:10 ` Wei Liu
@ 2019-01-25 16:39 ` Anthony PERARD
2019-01-25 16:55 ` Wei Liu
0 siblings, 1 reply; 7+ messages in thread
From: Anthony PERARD @ 2019-01-25 16:39 UTC (permalink / raw)
To: Wei Liu; +Cc: Juergen Gross, xen-devel, George Dunlap, Ian Jackson
On Fri, Jan 25, 2019 at 04:10:55PM +0000, Wei Liu wrote:
> On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> > On 1/25/19 11:33 AM, Wei Liu wrote:
> > > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> > >> Remove "chatty" and redundant information from the xl man page;
> > >> restrict it to functional descriptions only, and point instead to
> > >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> > >> information.
> > >>
> > >> Add a man page entry for device_model_user.
> > >>
> > >> Update qemu-deprivilege.pandoc:
> > >>
> > >> Changes in missing feature list:
> > >> - Migration is functional
> > >> - But qdisk backends are not
> > >>
> > >> Add a missing restriction list.
> > >>
> > >> The following statements from the man page are dropped:
> > >> - Mentioning PV; PV guests never have a device model.
> > >> - Drop the confusing statement about stdvga and cirrus vga options.
> > >> - Re-used domain IDs are now handled.
> > >> - Device models should no longer be able to create world-readable
> > >> files on dom0's filesystem.
> > >>
> > >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> > >> ---
> > >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> > >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> > >
> > > I think until we figure out the situation of vga, the statement should
> > > stay.
> >
> > How would we do that?
>
> Per my understanding:
>
> Setting vga option to anything else other than "none" may not work
>
> ?
Is their an issue with the vga setting and dm_restrict=1 ? I never add
any problem. Accessing the guest graphic output via VNC while running
with dm_restrict works fine. (but I only ever use the default.)
Maybe it's time to blame! And do some archeology ...
Base on commit 7d278e2115d084a5f78a512ae01ce946c10cff7d
"xl: Document VGA problems arising from lack of physmap dmop"
the issue is just that using xc_domain_add_to_physmap doesn't work.
But that issue has been addressed with a new DMOPS, and QEMU have
support for it since:
commit 2cbf8903530b936964dd3af7e2e5bf85c3955d5c
"xen: Use newly added dmops for mapping VGA memory"
which is QEMU 3.0.
qemu-xen-4.12.0 is at least QEMU 3.0. So it should be just a matter of
documenting that we need QEMU 3.0.
But based on qemu-deprivilege.pandoc, QEMU 3.0 is required for
dm_restrict to works, so all is fine. The original mention of problem
with vga!=none isn't true anymore.
Version requirement is documented in the man page, which redirect to
qemu-deprivilege.pandoc which specify QEMU 3.0+. So all is fine.
Cheers,
--
Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation
2019-01-25 16:39 ` Anthony PERARD
@ 2019-01-25 16:55 ` Wei Liu
0 siblings, 0 replies; 7+ messages in thread
From: Wei Liu @ 2019-01-25 16:55 UTC (permalink / raw)
To: Anthony PERARD
Cc: Juergen Gross, xen-devel, Wei Liu, George Dunlap, Ian Jackson
On Fri, Jan 25, 2019 at 04:39:35PM +0000, Anthony PERARD wrote:
> On Fri, Jan 25, 2019 at 04:10:55PM +0000, Wei Liu wrote:
> > On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> > > On 1/25/19 11:33 AM, Wei Liu wrote:
> > > > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> > > >> Remove "chatty" and redundant information from the xl man page;
> > > >> restrict it to functional descriptions only, and point instead to
> > > >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> > > >> information.
> > > >>
> > > >> Add a man page entry for device_model_user.
> > > >>
> > > >> Update qemu-deprivilege.pandoc:
> > > >>
> > > >> Changes in missing feature list:
> > > >> - Migration is functional
> > > >> - But qdisk backends are not
> > > >>
> > > >> Add a missing restriction list.
> > > >>
> > > >> The following statements from the man page are dropped:
> > > >> - Mentioning PV; PV guests never have a device model.
> > > >> - Drop the confusing statement about stdvga and cirrus vga options.
> > > >> - Re-used domain IDs are now handled.
> > > >> - Device models should no longer be able to create world-readable
> > > >> files on dom0's filesystem.
> > > >>
> > > >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> > > >> ---
> > > >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> > > >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> > > >
> > > > I think until we figure out the situation of vga, the statement should
> > > > stay.
> > >
> > > How would we do that?
> >
> > Per my understanding:
> >
> > Setting vga option to anything else other than "none" may not work
> >
> > ?
>
> Is their an issue with the vga setting and dm_restrict=1 ? I never add
> any problem. Accessing the guest graphic output via VNC while running
> with dm_restrict works fine. (but I only ever use the default.)
>
> Maybe it's time to blame! And do some archeology ...
>
> Base on commit 7d278e2115d084a5f78a512ae01ce946c10cff7d
> "xl: Document VGA problems arising from lack of physmap dmop"
> the issue is just that using xc_domain_add_to_physmap doesn't work.
>
> But that issue has been addressed with a new DMOPS, and QEMU have
> support for it since:
> commit 2cbf8903530b936964dd3af7e2e5bf85c3955d5c
> "xen: Use newly added dmops for mapping VGA memory"
> which is QEMU 3.0.
>
> qemu-xen-4.12.0 is at least QEMU 3.0. So it should be just a matter of
> documenting that we need QEMU 3.0.
> But based on qemu-deprivilege.pandoc, QEMU 3.0 is required for
> dm_restrict to works, so all is fine. The original mention of problem
> with vga!=none isn't true anymore.
>
> Version requirement is documented in the man page, which redirect to
> qemu-deprivilege.pandoc which specify QEMU 3.0+. So all is fine.
OK. That's convincing. Thanks for digging.
We can remove the statement for 4.12.
Acked-by: Wei Liu <wei.liu2@citrix.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-01-25 16:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-24 17:48 [PATCH-for-4.12] docs: Fix dm_restrict documentation George Dunlap
2019-01-25 5:47 ` Juergen Gross
2019-01-25 11:33 ` Wei Liu
2019-01-25 14:47 ` George Dunlap
2019-01-25 16:10 ` Wei Liu
2019-01-25 16:39 ` Anthony PERARD
2019-01-25 16:55 ` Wei Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.