[PATCH-for-4.12] docs: Fix dm_restrict documentation

[PATCH-for-4.12] docs: Fix dm_restrict documentation

[George Dunlap]

Remove "chatty" and redundant information from the xl man page;
restrict it to functional descriptions only, and point instead to
qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
information.

Add a man page entry for device_model_user.

Update qemu-deprivilege.pandoc:

Changes in missing feature list:
- Migration is functional
- But qdisk backends are not

Add a missing restriction list.

The following statements from the man page are dropped:
- Mentioning PV; PV guests never have a device model.
- Drop the confusing statement about stdvga and cirrus vga options.
- Re-used domain IDs are now handled.
- Device models should no longer be able to create world-readable
  files on dom0's filesystem.

Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
RFC: I don't know what the 'vga' limitation thing was about -- I tried
both 'default' and 'stgvga' with dm_restrict and they worked fine.

Freeze exception justification:
- Fixing a "bug" in the docs
- No functional change

CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Anthony Perard <anthony.perard@citrix.com>
CC: Juergen Gross <jgross@suse.com>
---
 docs/features/qemu-deprivilege.pandoc |  12 ++--
 docs/man/xl.cfg.5.pod.in              | 100 +++-----------------------
 2 files changed, 16 insertions(+), 96 deletions(-)

diff --git a/docs/features/qemu-deprivilege.pandoc b/docs/features/qemu-deprivilege.pandoc
index 20d6ac2189..cfe528b1d3 100644
--- a/docs/features/qemu-deprivilege.pandoc
+++ b/docs/features/qemu-deprivilege.pandoc
@@ -110,10 +110,14 @@ See docs/design/qemu-deprivilege.md for technical details.
 
 The following features still need to be implemented:
  * Inserting a new cdrom while the guest is running (xl cdrom-insert)
- * Migration / save / restore
-
-dm_restrict is totally unsupported and may have unexpected security
-problems if used with a dom0 Linux kernel earlier than 2.6.18.
+ * Support for qdisk backends
+
+A number of restrictions still need to be implemented.  A compromised
+device model may be able to do the following:
+ * Delay or exploit weaknesses in the toolstack
+ * Launch "fork bombs" or other resource exhaustion attacks
+ * Make network connections on the management network
+ * Break out of the restrictions after migration
 
 Additionally, getting PCI passthrough to work securely would require a
 significant rework of how passthrough works at the moment.  It may be
diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
index 3b92f39d8d..ad81af1ed8 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
@@ -1316,104 +1316,20 @@ connectors=id0:1920x1080;id1:800x600;id2:640x480
 Restrict the device model after startup,
 to limit the consequencese of security vulnerabilities in qemu.
 
-With this feature enabled,
-a compromise of the device model,
-via such a vulnerability,
-will not provide a privilege escalation attack on the whole system.
+See docs/features/qemu-depriv.pandoc for more information
+on Linux and QEMU version requirements, device model user setup,
+and current limitations.
 
 This feature is a B<technology preview>.
-There are some significant limitations:
+See SUPPORT.md for a security support statement.
 
-=over 4
-
-=item
-
-This is not likely to work at all for PV guests
-nor guests using qdisk backends for their block devices.
-
-=item
-
-You must have a new enough qemu.
-In particular,
-if your qemu does not have the commit
-B<xen: restrict: use xentoolcore_restrict_all>
-the restriction request will be silently ineffective!
-
-=item
-
-The mechanisms used are not effective against
-denial of service problems.
-A compromised qemu can probably still impair
-or perhaps even prevent
-the proper functioning of the whole system,
-(at the very least, but not limited to,
-through resource exhaustion).
-
-=item
-
-It is not known whether the protection is
-effective when a domain is migrated.
-
-=item
-
-Some domain management functions do not work.
-For example, cdrom insert will fail.
-
-=item
+=item B<device_model_user=USERNAME>
 
-You should say C<vga="none">.
-Domains with stdvga graphics cards to not work.
-Domains with cirrus vga may seem to work.
+When running dm_restrict, run the device model as this user.
 
-=item
+NOTE: Each domain MUST have a SEPARATE username.
 
-You must create user(s) for qemu to run as.
-
-Ideally, set aside a range of 32752 uids
-(from N to N+32751)
-and create a user
-whose name is B<xen-qemuuser-range-base>
-and whose uid is N
-and whose gid is a plain unprivileged gid.
-libxl will use one such user for each domid.
-
-Alternatively, either create
-B<xen-qemuuser-domid$domid>
-for every $domid from 1 to 32751 inclusive,
-or
-B<xen-qemuuser-shared>
-(in which case different guests will not
-be protected against each other).
-
-=item
-
-There are no countermeasures taken against reuse
-of the same unix user (uid)
-for subsequent domains,
-even if the B<xen-qemuuser-domid$domid> users are created.
-So a past domain with the same domid may be able to
-interferer with future domains.
-Possibly, even after a reboot.
-
-=item
-
-A compromised qemu will be able to read world-readable
-files in the dom0 operating system.
-
-=item
-
-Because of these limitations, this functionality,
-while it may enhance your security,
-should not be relied on.
-Any further limitations discovered in the current version
-will B<not> be handled via the Xen Project Security Process.
-
-=item
-
-In the future as we enhance this feature to improve the security,
-we may break backward compatibility.
-
-=back
+See docs/features/qemu-depriv.pandoc for more information.
 
 =item B<vsnd=[ VCARD_SPEC, VCARD_SPEC, ... ]>
 
-- 
2.20.1


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[Juergen Gross]

On 24/01/2019 18:48, George Dunlap wrote:
> Remove "chatty" and redundant information from the xl man page;
> restrict it to functional descriptions only, and point instead to
> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> information.
> 
> Add a man page entry for device_model_user.
> 
> Update qemu-deprivilege.pandoc:
> 
> Changes in missing feature list:
> - Migration is functional
> - But qdisk backends are not
> 
> Add a missing restriction list.
> 
> The following statements from the man page are dropped:
> - Mentioning PV; PV guests never have a device model.
> - Drop the confusing statement about stdvga and cirrus vga options.
> - Re-used domain IDs are now handled.
> - Device models should no longer be able to create world-readable
>   files on dom0's filesystem.
> 
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>

Release-acked-by: Juergen Gross <jgross@suse.com>


Juergen

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[Wei Liu]

On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> Remove "chatty" and redundant information from the xl man page;
> restrict it to functional descriptions only, and point instead to
> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> information.
> 
> Add a man page entry for device_model_user.
> 
> Update qemu-deprivilege.pandoc:
> 
> Changes in missing feature list:
> - Migration is functional
> - But qdisk backends are not
> 
> Add a missing restriction list.
> 
> The following statements from the man page are dropped:
> - Mentioning PV; PV guests never have a device model.
> - Drop the confusing statement about stdvga and cirrus vga options.
> - Re-used domain IDs are now handled.
> - Device models should no longer be able to create world-readable
>   files on dom0's filesystem.
> 
> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> ---
> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> both 'default' and 'stgvga' with dm_restrict and they worked fine.

I think until we figure out the situation of vga, the statement should
stay.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[George Dunlap]

On 1/25/19 11:33 AM, Wei Liu wrote:
> On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
>> Remove "chatty" and redundant information from the xl man page;
>> restrict it to functional descriptions only, and point instead to
>> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
>> information.
>>
>> Add a man page entry for device_model_user.
>>
>> Update qemu-deprivilege.pandoc:
>>
>> Changes in missing feature list:
>> - Migration is functional
>> - But qdisk backends are not
>>
>> Add a missing restriction list.
>>
>> The following statements from the man page are dropped:
>> - Mentioning PV; PV guests never have a device model.
>> - Drop the confusing statement about stdvga and cirrus vga options.
>> - Re-used domain IDs are now handled.
>> - Device models should no longer be able to create world-readable
>>   files on dom0's filesystem.
>>
>> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
>> ---
>> RFC: I don't know what the 'vga' limitation thing was about -- I tried
>> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> 
> I think until we figure out the situation of vga, the statement should
> stay.

How would we do that?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[Wei Liu]

On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> On 1/25/19 11:33 AM, Wei Liu wrote:
> > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> >> Remove "chatty" and redundant information from the xl man page;
> >> restrict it to functional descriptions only, and point instead to
> >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> >> information.
> >>
> >> Add a man page entry for device_model_user.
> >>
> >> Update qemu-deprivilege.pandoc:
> >>
> >> Changes in missing feature list:
> >> - Migration is functional
> >> - But qdisk backends are not
> >>
> >> Add a missing restriction list.
> >>
> >> The following statements from the man page are dropped:
> >> - Mentioning PV; PV guests never have a device model.
> >> - Drop the confusing statement about stdvga and cirrus vga options.
> >> - Re-used domain IDs are now handled.
> >> - Device models should no longer be able to create world-readable
> >>   files on dom0's filesystem.
> >>
> >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> >> ---
> >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> > 
> > I think until we figure out the situation of vga, the statement should
> > stay.
> 
> How would we do that?

Per my understanding:

  Setting vga option to anything else other than "none" may not work

?

Wei.

> 
>  -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[Anthony PERARD]

On Fri, Jan 25, 2019 at 04:10:55PM +0000, Wei Liu wrote:
> On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> > On 1/25/19 11:33 AM, Wei Liu wrote:
> > > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> > >> Remove "chatty" and redundant information from the xl man page;
> > >> restrict it to functional descriptions only, and point instead to
> > >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> > >> information.
> > >>
> > >> Add a man page entry for device_model_user.
> > >>
> > >> Update qemu-deprivilege.pandoc:
> > >>
> > >> Changes in missing feature list:
> > >> - Migration is functional
> > >> - But qdisk backends are not
> > >>
> > >> Add a missing restriction list.
> > >>
> > >> The following statements from the man page are dropped:
> > >> - Mentioning PV; PV guests never have a device model.
> > >> - Drop the confusing statement about stdvga and cirrus vga options.
> > >> - Re-used domain IDs are now handled.
> > >> - Device models should no longer be able to create world-readable
> > >>   files on dom0's filesystem.
> > >>
> > >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> > >> ---
> > >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> > >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> > > 
> > > I think until we figure out the situation of vga, the statement should
> > > stay.
> > 
> > How would we do that?
> 
> Per my understanding:
> 
>   Setting vga option to anything else other than "none" may not work
> 
> ?

Is their an issue with the vga setting and dm_restrict=1 ? I never add
any problem. Accessing the guest graphic output via VNC while running
with dm_restrict works fine. (but I only ever use the default.)

Maybe it's time to blame! And do some archeology ...

Base on commit 7d278e2115d084a5f78a512ae01ce946c10cff7d
"xl: Document VGA problems arising from lack of physmap dmop"
the issue is just that using xc_domain_add_to_physmap doesn't work.

But that issue has been addressed with a new DMOPS, and QEMU have
support for it since:
commit 2cbf8903530b936964dd3af7e2e5bf85c3955d5c
"xen: Use newly added dmops for mapping VGA memory"
which is QEMU 3.0.

qemu-xen-4.12.0 is at least QEMU 3.0. So it should be just a matter of
documenting that we need QEMU 3.0.
But based on qemu-deprivilege.pandoc, QEMU 3.0 is required for
dm_restrict to works, so all is fine. The original mention of problem
with vga!=none isn't true anymore.

Version requirement is documented in the man page, which redirect to
qemu-deprivilege.pandoc which specify QEMU 3.0+. So all is fine.

Cheers,

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH-for-4.12] docs: Fix dm_restrict documentation

[Wei Liu]

On Fri, Jan 25, 2019 at 04:39:35PM +0000, Anthony PERARD wrote:
> On Fri, Jan 25, 2019 at 04:10:55PM +0000, Wei Liu wrote:
> > On Fri, Jan 25, 2019 at 02:47:20PM +0000, George Dunlap wrote:
> > > On 1/25/19 11:33 AM, Wei Liu wrote:
> > > > On Thu, Jan 24, 2019 at 05:48:27PM +0000, George Dunlap wrote:
> > > >> Remove "chatty" and redundant information from the xl man page;
> > > >> restrict it to functional descriptions only, and point instead to
> > > >> qemu-depriv.pandoc and SUPPORT.md as locations for "canonical"
> > > >> information.
> > > >>
> > > >> Add a man page entry for device_model_user.
> > > >>
> > > >> Update qemu-deprivilege.pandoc:
> > > >>
> > > >> Changes in missing feature list:
> > > >> - Migration is functional
> > > >> - But qdisk backends are not
> > > >>
> > > >> Add a missing restriction list.
> > > >>
> > > >> The following statements from the man page are dropped:
> > > >> - Mentioning PV; PV guests never have a device model.
> > > >> - Drop the confusing statement about stdvga and cirrus vga options.
> > > >> - Re-used domain IDs are now handled.
> > > >> - Device models should no longer be able to create world-readable
> > > >>   files on dom0's filesystem.
> > > >>
> > > >> Signed-off-by: George Dunlap <george.dunlap@citrix.com>
> > > >> ---
> > > >> RFC: I don't know what the 'vga' limitation thing was about -- I tried
> > > >> both 'default' and 'stgvga' with dm_restrict and they worked fine.
> > > > 
> > > > I think until we figure out the situation of vga, the statement should
> > > > stay.
> > > 
> > > How would we do that?
> > 
> > Per my understanding:
> > 
> >   Setting vga option to anything else other than "none" may not work
> > 
> > ?
> 
> Is their an issue with the vga setting and dm_restrict=1 ? I never add
> any problem. Accessing the guest graphic output via VNC while running
> with dm_restrict works fine. (but I only ever use the default.)
> 
> Maybe it's time to blame! And do some archeology ...
> 
> Base on commit 7d278e2115d084a5f78a512ae01ce946c10cff7d
> "xl: Document VGA problems arising from lack of physmap dmop"
> the issue is just that using xc_domain_add_to_physmap doesn't work.
> 
> But that issue has been addressed with a new DMOPS, and QEMU have
> support for it since:
> commit 2cbf8903530b936964dd3af7e2e5bf85c3955d5c
> "xen: Use newly added dmops for mapping VGA memory"
> which is QEMU 3.0.
> 
> qemu-xen-4.12.0 is at least QEMU 3.0. So it should be just a matter of
> documenting that we need QEMU 3.0.
> But based on qemu-deprivilege.pandoc, QEMU 3.0 is required for
> dm_restrict to works, so all is fine. The original mention of problem
> with vga!=none isn't true anymore.
> 
> Version requirement is documented in the man page, which redirect to
> qemu-deprivilege.pandoc which specify QEMU 3.0+. So all is fine.

OK. That's convincing. Thanks for digging.

We can remove the statement for 4.12.

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel