[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu
|
From: |
Fam Zheng |
|
Subject: |
Re: [Qemu-devel] [PATCH RFC] tcmu: Introduce qemu-tcmu |
|
Date: |
Fri, 21 Oct 2016 08:11:47 +0800 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Thu, 10/20 10:21, Andy Grover wrote:
> On 10/20/2016 07:30 AM, Fam Zheng wrote:
> > On Thu, 10/20 15:08, Stefan Hajnoczi wrote:
> > > If a corrupt image is able to execute arbitrary code in the qemu-tcmu
> > > process, does /dev/uio0 or the tcmu shared memory interface allow get
> > > root or kernel privileges?
> >
> > I haven't audited the code, but target_core_user.ko should contain the
> > access to
> > /dev/uioX and make sure there is no security risk regarding buggy or
> > malicious
> > handlers. Otherwise it's a bug that should be fixed. Andy can correct me if
> > I'm
> > wrong.
>
> Yes... well, TCMU ensures that a bad handler can't scribble to kernel memory
> outside the shared memory area.
Thanks!
>
> UIO devices are basically a "device drivers in userspace" kind of API so
> they require root to use. I seem to remember somebody mentioning ways this
> might work for less-privileged handlers (fd-passing??) but no way to do this
> exists just yet.
In my example in the cover letter I use chmod + non-root which seems to be
working properly. So I think fd-passing is a promising mechanism.
Fam
>
> Regards -- Andy
>