public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed
From: Stefano Brivio <sbrivio@redhat.com>
To: Michal Privoznik <mprivozn@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 0/2] Introduce --log-fd option
Date: Tue, 6 Jun 2023 22:58:36 +0200	[thread overview]
Message-ID: <20230606225836.63aecebe@elisabeth> (raw)
In-Reply-To: <cover.1686037337.git.mprivozn@redhat.com>

Hi,

On Tue,  6 Jun 2023 13:41:28 +0200
Michal Privoznik <mprivozn@redhat.com> wrote:

> The idea behind this is so that libvirt can create the log file, set all
> DAC/SELinux labels and just pass pre-opened FD to passt.
> 
> You can view my WIP patches for libvirt here:
> 
> https://gitlab.com/MichalPrivoznik/libvirt/-/commit/5bbe40087d6888a7c4031a2224731523e117c072

Thanks for the implementation... and also for taking care of the
details!

I'm not really enthusiastic about the security implications of this
approach, but _if it's the only reasonable way to solve this_, I won't
certainly stand in the way of progress. The series looks mostly good to
me, I have only a few nits, reported in the single replies.

This adds a further interfacing mode between passt and the parent
process, which makes me a bit uncomfortable in general.

Specifically, if the parent process runs as root, this gives a rogue
passt process a way to write potentially unlimited amounts of data to
essentially any place (minus _some_ checks implemented by Linux Security
Modules). And a rogue passt process doesn't necessarily imply a rogue
parent, so this is additional surface.

Oh, and by the way of LSMs, we kind of bypass stuff like this.

For a non-rogue passt process, if the parent runs as root, I don't see
any additional attack scenario -- the parent could do anything it wants
anyway. But if the parent runs as regular user, there are a few
additional ways to cause passt to misbehave by passing in a file
descriptor that doesn't correspond to a file, or that's opened by other
processes, without any mediation by the filesystem (which is generally
speaking not under control of unprivileged users).

I'd rather much prefer the more common approach of defaulting, or
suggesting to the user, to write to a temporary filesystem, available
under most distributions under /run or /var/run. Is that really
unfeasible?

I'm thinking that libvirt already needs a specific directory for passt
to use (socket and PID files). What if logFile, other than an absolute
path, supported a relative path? This logic might perhaps apply to
other helpers or external programs too.

By the way, passt ships with AppArmor and SELinux example policies,
which are also included in packages. They would need at least a quick
review, probably some edits, and some basic tests. Thinking of those, a
relative path would also simplify things.

-- 
Stefano


  parent reply	other threads:[~2023-06-06 20:58 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-06 11:41 [PATCH 0/2] Introduce --log-fd option Michal Privoznik
2023-06-06 11:41 ` [PATCH 1/2] util: Introduce set_cloexec() Michal Privoznik
2023-06-06 20:59   ` Stefano Brivio
2023-06-06 11:41 ` [PATCH 2/2] conf, log: Introduce --log-fd option Michal Privoznik
2023-06-06 20:59   ` Stefano Brivio
2023-06-06 20:58 ` Stefano Brivio [this message]
2023-06-07 11:38   ` [PATCH 0/2] " Michal Prívozník
2023-06-07 14:42     ` Stefano Brivio
2023-06-08 11:51       ` Michal Prívozník
2023-06-13  3:12         ` Stefano Brivio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230606225836.63aecebe@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=mprivozn@redhat.com \
    --cc=passt-dev@passt.top \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).