[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen staging] libxl: Introduce specific username to be used as a reaper



commit f45e7d333fe6b1c578e020adce65269db204ade3
Author:     George Dunlap <george.dunlap@xxxxxxxxxx>
AuthorDate: Fri Dec 21 15:41:11 2018 +0000
Commit:     George Dunlap <george.dunlap@xxxxxxxxxx>
CommitDate: Fri Dec 21 18:42:00 2018 +0000

    libxl: Introduce specific username to be used as a reaper
    
    Untrusted device models must be killed by uid rather than by pid for
    safety.  To do this reliably, we need another uid, not used for any
    other purpose, from which to make the kill system call.
    
    When using xen-qemuuser-range-base, we can repurpose
    xen-qemuuser-range-base itself as a UID from which to kill other
    devicemodel uids (since domain ID 0 should never have a device model
    associated with it).
    
    However, we'd like people to be able to use the device_model_user
    feature without also defining xen-qemuuser-range-base (which requires
    the ability to 'reserve' 32k+ user IDs).
    
    To that end, introduce the xen-qemuuser-reaper id.  When killing by
    UID, first look for and use that ID if available; then fall back to
    xen-qemuuser-range-base.
    
    Document the new call in docs/features/qemu-deprivilege.pandoc.
    
    Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
 docs/features/qemu-deprivilege.pandoc |  9 ++++++++
 tools/libxl/libxl_dm.c                | 40 ++++++++++++++++++++++-------------
 tools/libxl/libxl_internal.h          |  1 +
 3 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/docs/features/qemu-deprivilege.pandoc 
b/docs/features/qemu-deprivilege.pandoc
index ce21a60ef7..eb05981a83 100644
--- a/docs/features/qemu-deprivilege.pandoc
+++ b/docs/features/qemu-deprivilege.pandoc
@@ -77,12 +77,21 @@ And then in your config file, the following line:
 
     device_model_user="xen-qemuuser-c6-01"
 
+If you use this method, you should also allocate one "reaper" user to
+be used for killing device models:
+
+    adduser --system --no-create-home --group xen-qemuuser-reaper
+
 NOTE: It is important when using `device_model_user` that EACH VM HAVE
 A SEPARATE UID, and that none of these UIDs map to root.  xl will
 throw an error a uid maps to zero, but not if multiple VMs have the
 same uid.  Multiple VMs with the same device model uid will cause
 problems.
 
+It is also important that `xen-qemuuser-reaper` not have any processes
+associated with it, as they will be destroyed when deprivileged qemu
+processes are destroyed.
+
 ## Domain config changes
 
 The core domain config change is to add the following line to the
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 922fa70f11..f5322e3f45 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -268,24 +268,37 @@ static int libxl__get_reaper_uid(libxl__gc *gc, uid_t 
*reaper_uid)
     struct passwd *user_base, user_pwbuf;
     int rc;
 
+    rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_REAPER,
+                                         &user_pwbuf, &user_base);
+    /* 
+     * Either there was an error, or we found a suitable user; stop
+     * looking
+     */
+    if (rc || user_base)
+        goto out;
+
     rc = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE,
                                          &user_pwbuf, &user_base);
-    if (rc)
-        return rc;
+    if (rc || user_base)
+        goto out;
 
-    if (!user_base) {
-        LOG(WARN, "Couldn't find uid for reaper process");
-        return ERROR_INVAL;
-    }
-    
-    if (user_base->pw_uid == 0) {
-        LOG(ERROR, "UID for reaper process maps to root!");
-        return ERROR_INVAL;
+    LOG(WARN, "Couldn't find uid for reaper process");
+    rc = ERROR_INVAL;
+
+ out:
+    /* First check to see if the discovered user maps to root */
+    if (!rc) {
+        if (user_base->pw_uid == 0) {
+            LOG(ERROR, "UID for reaper process maps to root!");
+            rc = ERROR_INVAL;
+        }
     }
 
-    *reaper_uid = user_base->pw_uid;
+    /* If everything is OK, set reaper_uid as appropriate */
+    if (!rc)
+        *reaper_uid = user_base->pw_uid;
 
-    return 0;
+    return rc;
 }
 
 const char *libxl__domain_device_model(libxl__gc *gc,
@@ -2908,9 +2921,6 @@ static int 
get_reaper_lock_and_uid(libxl__destroy_devicemodel_state *ddms,
 
     /*
      * Get reaper_uid.  If we can't find such a uid, return an error.
-     *
-     * FIXME: This means that domain destruction will fail if
-     * device_model_user is set but QEMU_USER_RANGE_BASE doesn't exist.
      */
     return libxl__get_reaper_uid(gc, reaper_uid);
 }
diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
index 8323c7924d..67f3f6ac76 100644
--- a/tools/libxl/libxl_internal.h
+++ b/tools/libxl/libxl_internal.h
@@ -4419,6 +4419,7 @@ _hidden int libxl__read_sysfs_file_contents(libxl__gc *gc,
 #define LIBXL_QEMU_USER_PREFIX "xen-qemuuser"
 #define LIBXL_QEMU_USER_SHARED LIBXL_QEMU_USER_PREFIX"-shared"
 #define LIBXL_QEMU_USER_RANGE_BASE LIBXL_QEMU_USER_PREFIX"-range-base"
+#define LIBXL_QEMU_USER_REAPER LIBXL_QEMU_USER_PREFIX"-reaper"
 
 static inline bool libxl__acpi_defbool_val(const libxl_domain_build_info 
*b_info)
 {
--
generated by git-patchbot for /home/xen/git/xen.git#staging

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.