[libvirt] New QEMU daemon for persistent reservations
Paolo Bonzini
pbonzini at redhat.com
Mon Sep 11 15:20:10 UTC 2017
On 11/09/2017 16:32, Daniel P. Berrange wrote:
>> This is already handled via SCM_RIGHTS and is part of the design of the
>> helper daemon. QEMU cannot even open mpath devices which are not
>> accessible according to its SELinux category or device cgroup.
>
> Ah so the daemon relies on the fact that the client was not permitted
> to open another file. So the only FD it can receive from the client is
> one that was associated with a permitted mpath device.
>
> That would be sufficient to protect against a malicious qemu process
> trying to explicitly pass it invalid FD data. It wouldn't be sufficient
> to be safe against a QEMU process that somehow managed to trigger a bug
> that caused it to corrupt memory and thus trick into opening a different
> file. For the latter we would need to have some stricter policy about
> the helper daemon and labelling on files.
Exactly. The passed file descriptor acts as a "capability"; the daemon
goes from there to the paths through fstat on the file descriptor
followed by /dev/mapper/control APIs (mostly issued by libmpathpersist).
On the other hand, the daemon has CAP_SYS_RAWIO and CAP_SYS_ADMIN, so if
you get memory corruption all bets are probably off anyway.
Paolo
More information about the libvir-list
mailing list