From: "Michal Prívozník" <mprivozn@redhat.com>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 0/2] Introduce --log-fd option
Date: Wed, 7 Jun 2023 13:38:12 +0200 [thread overview]
Message-ID: <39b5445f-3126-db92-01cd-60efb2dc25d1@redhat.com> (raw)
In-Reply-To: <20230606225836.63aecebe@elisabeth>
On 6/6/23 22:58, Stefano Brivio wrote:
> Hi,
>
> On Tue, 6 Jun 2023 13:41:28 +0200
> Michal Privoznik <mprivozn@redhat.com> wrote:
>
>> The idea behind this is so that libvirt can create the log file, set all
>> DAC/SELinux labels and just pass pre-opened FD to passt.
>>
>> You can view my WIP patches for libvirt here:
>>
>> https://gitlab.com/MichalPrivoznik/libvirt/-/commit/5bbe40087d6888a7c4031a2224731523e117c072
>
> Thanks for the implementation... and also for taking care of the
> details!
>
> I'm not really enthusiastic about the security implications of this
> approach, but _if it's the only reasonable way to solve this_, I won't
> certainly stand in the way of progress. The series looks mostly good to
> me, I have only a few nits, reported in the single replies.
>
> This adds a further interfacing mode between passt and the parent
> process, which makes me a bit uncomfortable in general.
>
> Specifically, if the parent process runs as root, this gives a rogue
> passt process a way to write potentially unlimited amounts of data to
> essentially any place (minus _some_ checks implemented by Linux Security
> Modules). And a rogue passt process doesn't necessarily imply a rogue
> parent, so this is additional surface.
Well, is it any different to when libvirt would create the file, set
perms and then let passt open() it? In fact, I find passing FD safer
because libvirt doesn't need to set up perms/owner and can leave the log
file be owned by root:root with 0600 mode, or any other user that
libvirtd runs under.
>
> Oh, and by the way of LSMs, we kind of bypass stuff like this.
>
> For a non-rogue passt process, if the parent runs as root, I don't see
> any additional attack scenario -- the parent could do anything it wants
> anyway. But if the parent runs as regular user, there are a few
> additional ways to cause passt to misbehave by passing in a file
> descriptor that doesn't correspond to a file, or that's opened by other
> processes, without any mediation by the filesystem (which is generally
> speaking not under control of unprivileged users).
So an attacker can cause libvirtd to pass an FD that doesn't belong to
the log file opened by libvirtd? Interesting, I though that's
impossible. I mean, it's sort of a goal we're working towards with QEMU
- libvirt opens FDs and then just pass them to QEMU. So if it's really
unsafe, we should re-evaluate our goal.
>
> I'd rather much prefer the more common approach of defaulting, or
> suggesting to the user, to write to a temporary filesystem, available
> under most distributions under /run or /var/run. Is that really
> unfeasible?
It if feasible. I just thought that when users want their logs to reside
under some special path that libvirtd has access to, but not passt then
we might use FD passing.
>
> I'm thinking that libvirt already needs a specific directory for passt
> to use (socket and PID files). What if logFile, other than an absolute
> path, supported a relative path? This logic might perhaps apply to
> other helpers or external programs too.
That's tangent to this problem.
>
> By the way, passt ships with AppArmor and SELinux example policies,
> which are also included in packages. They would need at least a quick
> review, probably some edits, and some basic tests. Thinking of those, a
> relative path would also simplify things.
>
Ah, completely forgot about those. Yeah, they might need tweaking even
if we decide to go this route.
Michal
next prev parent reply other threads:[~2023-06-07 11:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-06 11:41 [PATCH 0/2] Introduce --log-fd option Michal Privoznik
2023-06-06 11:41 ` [PATCH 1/2] util: Introduce set_cloexec() Michal Privoznik
2023-06-06 20:59 ` Stefano Brivio
2023-06-06 11:41 ` [PATCH 2/2] conf, log: Introduce --log-fd option Michal Privoznik
2023-06-06 20:59 ` Stefano Brivio
2023-06-06 20:58 ` [PATCH 0/2] " Stefano Brivio
2023-06-07 11:38 ` Michal Prívozník [this message]
2023-06-07 14:42 ` Stefano Brivio
2023-06-08 11:51 ` Michal Prívozník
2023-06-13 3:12 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=39b5445f-3126-db92-01cd-60efb2dc25d1@redhat.com \
--to=mprivozn@redhat.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).