[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] tools/dm_restrict: Unshare mount and IPC namespaces on Linux



commit 371a23e65db5eb3a80a148586aeb551d4d0015f1
Author:     George Dunlap <george.dunlap@xxxxxxxxxx>
AuthorDate: Tue Nov 6 15:41:24 2018 +0000
Commit:     George Dunlap <george.dunlap@xxxxxxxxxx>
CommitDate: Tue Nov 6 15:41:24 2018 +0000

    tools/dm_restrict: Unshare mount and IPC namespaces on Linux
    
    QEMU running under Xen doesn't need mount or IPC functionality.
    Create and enter separate namespaces for each of these before
    executing QEMU, so that in the event that other restrictions fail, the
    process won't be able to even name system mount points or exsting
    non-file-based IPC descriptors to attempt to attack them.
    
    Unsharing is something a process can only do to itself (it would
    seem); so add an os-specific "dm_preexec_restrict()" hook just before
    we exec() the device model.
    
    Also add checks to depriv-process-checker.sh to verify that dm is
    running in a new namespace (or at least, a different one than the
    caller).
    
    Suggested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
    Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
    ---
    Changes since v4:
    - Fix function prototype for netbsd code
    
    Changes since v3:
    - Fix some more style issues
    
    Changes since v2:
    - Return an error rather than calling exit()
    - Use LOGE() and print to the current stderr fd, rather than
      printing to the new stderr fd via write()
    - Use r for external return values rather than rc.
    
    CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
    CC: Wei Liu <wei.liu2@xxxxxxxxxx>
    CC: Anthony Perard <anthony.perard@xxxxxxxxxx>
---
 docs/designs/qemu-deprivilege.md | 12 ++++++------
 tools/libxl/libxl_dm.c           |  5 +++++
 tools/libxl/libxl_freebsd.c      |  5 +++++
 tools/libxl/libxl_internal.h     |  5 +++++
 tools/libxl/libxl_linux.c        | 14 ++++++++++++++
 tools/libxl/libxl_netbsd.c       |  5 +++++
 6 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md
index 82b0e15d81..65754ba6ee 100644
--- a/docs/designs/qemu-deprivilege.md
+++ b/docs/designs/qemu-deprivilege.md
@@ -76,12 +76,6 @@ Then adds the following to the qemu command-line:
        
 '''Tested''': Not tested
 
-## Restrictions / improvements still to do
-
-This lists potential restrictions still to do.  It is meant to be
-listed in order of ease of implementation, with low-hanging fruit
-first.
-
 ## Namespaces for unused functionality (Linux only)
 
 '''Description''': QEMU doesn't use the functionality associated with
@@ -109,6 +103,12 @@ call:
 
 [qemu-namespaces]: 
https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg04723.html
 
+# Restrictions / improvements still to do
+
+This lists potential restrictions still to do.  It is meant to be
+listed in order of ease of implementation, with low-hanging fruit
+first.
+
 ### Basic RLIMITs
 
 '''Description''': A number of limits on the resources that a given
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index bb3e3a625c..9c47060473 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -2393,6 +2393,11 @@ retry_transaction:
         goto out_close;
     if (!rc) { /* inner child */
         setsid();
+        if (libxl_defbool_val(b_info->dm_restrict)) {
+            rc = libxl__local_dm_preexec_restrict(gc);
+            if (rc)
+                _exit(-1);
+        }
         libxl__exec(gc, null, logfile_w, logfile_w, dm, args, envs);
     }
 
diff --git a/tools/libxl/libxl_freebsd.c b/tools/libxl/libxl_freebsd.c
index 6442ccec72..f7ef4a8910 100644
--- a/tools/libxl/libxl_freebsd.c
+++ b/tools/libxl/libxl_freebsd.c
@@ -245,3 +245,8 @@ int libxl__pci_topology_init(libxl__gc *gc,
 {
     return ERROR_NI;
 }
+
+int libxl__local_dm_preexec_restrict(libxl__gc *gc)
+{
+    return 0;
+}
diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
index ff889385fe..e498435e16 100644
--- a/tools/libxl/libxl_internal.h
+++ b/tools/libxl/libxl_internal.h
@@ -3774,6 +3774,11 @@ struct libxl__dm_spawn_state {
 
 _hidden void libxl__spawn_local_dm(libxl__egc *egc, libxl__dm_spawn_state*);
 
+/* 
+ * Called after forking but before executing the local devicemodel.
+ */
+_hidden int libxl__local_dm_preexec_restrict(libxl__gc *gc);
+
 /* Stubdom device models. */
 
 typedef struct {
diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c
index 6ef0abc693..c7a345f4bb 100644
--- a/tools/libxl/libxl_linux.c
+++ b/tools/libxl/libxl_linux.c
@@ -307,6 +307,20 @@ int libxl__pci_topology_init(libxl__gc *gc,
     return err;
 }
 
+int libxl__local_dm_preexec_restrict(libxl__gc *gc)
+{
+    int r;
+
+    /* Unshare mount and IPC namespaces.  These are unused by QEMU. */
+    r = unshare(CLONE_NEWNS | CLONE_NEWIPC);
+    if (r) {
+        LOGE(ERROR, "libxl: Mount and IPC namespace unfailed");
+        return ERROR_FAIL;
+    }
+
+    return 0;
+}
+
 /*
  * Local variables:
  * mode: C
diff --git a/tools/libxl/libxl_netbsd.c b/tools/libxl/libxl_netbsd.c
index 2edfb00641..e66a393d7f 100644
--- a/tools/libxl/libxl_netbsd.c
+++ b/tools/libxl/libxl_netbsd.c
@@ -124,3 +124,8 @@ int libxl__pci_topology_init(libxl__gc *gc,
 {
     return ERROR_NI;
 }
+
+int libxl__local_dm_preexec_restrict(libxl__gc *gc)
+{
+    return 0;
+}
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.