Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option
Date:	Tue, 24 Oct 2017 14:35:53 +0200
User-agent:	Mutt/1.9.1 (2017-09-22)

On Mon, Oct 23, 2017 at 03:30:05PM +0100, Ross Lagerwall wrote:
> On 10/19/2017 05:24 PM, Daniel P. Berrange wrote:
> > On Thu, Oct 19, 2017 at 05:04:19PM +0100, Ross Lagerwall wrote:
> > > Add an option to allow calling unshare() just before starting guest
> > > execution. The option allows unsharing one or more of the mount
> > > namespace, the network namespace, and the IPC namespace. This is useful
> > > to restrict the ability of QEMU to cause damage to the system should it
> > > be compromised.
> > > 
> > > An example of using this would be to have QEMU open a QMP socket at
> > > startup and unshare the network namespace. The instance of QEMU could
> > > still be controlled by the QMP socket since that belongs in the original
> > > namespace, but if QEMU were compromised it wouldn't be able to open any
> > > new connections, even to other processes on the same machine.
> > 
> > Unless I'm misunderstanding you, what's described here is already possible
> > by just using the 'unshare' command to spawn QEMU:
> > 
> >    # unshare --ipc --mount --net qemu-system-x86_64 -qmp 
> > unix:/tmp/foo,server -vnc :1
> >    qemu-system-x86_64: -qmp unix:/tmp/foo,server: QEMU waiting for 
> > connection on: disconnected:unix:/tmp/foo,server
> > 
> > And in another shell I can still access the QMP socket from the original 
> > host
> > namespace
> 
> So that works because UNIX domains sockets are not restricted by network
> namespaces.

Slightly pedantic but hopefully interesting:

It's not correct to say that UNIX domain sockets are not restricted by
network namespaces, it's more complicated than that.  UNIX domain
sockets fall into several groups:

1. pathname (i.e. they have an inode on disk) sockets are namespaced by
   the mount namespace, not the network namespace.  These sockets can
   only be accessed if the thread's mount (filesystem) namespace can
   reach the inode.

2. unnamed (e.g. socketpair(2)) sockets can never be looked up in any
   namespace anyway, only fork() or file descriptor passing transfers
   them between processes.  Namespaces are irrelevant here.

3. abstract (sun_path[0] == '\0') sockets are affected by the network
   namespace.

Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Ross Lagerwall, 2017/10/19
- Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Daniel P. Berrange, 2017/10/19
  - Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Ross Lagerwall, 2017/10/23
    - Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Daniel P. Berrange, 2017/10/23
    - Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Ross Lagerwall, 2017/10/23
    - Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Daniel P. Berrange, 2017/10/23
    - Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option, Stefan Hajnoczi <=

Prev by Date: Re: [Qemu-devel] [PATCH v4 2/4] vhost-user-blk: introduce a new vhost-user-blk host device
Next by Date: Re: [Qemu-devel] [PATCH v4 1/4] vhost-user: add new vhost user messages to support virtio config space
Previous by thread: Re: [Qemu-devel] [PATCH v1] os-posix: Add -unshare option
Next by thread: [Qemu-devel] [PATCH v3 00/46] Remove some of the fprintf(stderr, "*
Index(es):
- Date
- Thread