[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 1/6] docs/qemu-deprivilege: Revise and update with status and future plans
> -----Original Message----- [snip] > diff --git a/docs/features/qemu-deprivilege.pandoc b/docs/features/qemu- > deprivilege.pandoc > new file mode 100644 > index 0000000000..b377076606 > --- /dev/null > +++ b/docs/features/qemu-deprivilege.pandoc > @@ -0,0 +1,91 @@ > +% QEMU Deprivileging / dm_restrict > +% Revision 1 > + > +\clearpage > + > +# Basics > + > +---------------- ---------------------------------------------------- > + Status: **Tech Preview** > + > +Architecture(s): x86 > + > + Component(s): toolstack > + > +---------------- ---------------------------------------------------- > + > +# Overview > + > +By default, the QEMU device model is run in domain 0. If an attacker > +can gain control of a QEMU process, it could easily take control of a > +system. > + > +dm_restrict is a set of operations to restrict QEMU running in domain > +0. It consists of two halves: > + > + 1. Mechanisms to restrict QEMU to only being able to affect its own > +domain > + 2. Mechanisms to restruct QEMU's ability to interact with domain 0. > + > +# User details > + > +## Getting the right versions of software > + > +Linux: 4.11+ > + > +Qemu: 3.0+ (Or the version that comes with Xen 4.12+) > + > +## Setting up a userid range > + > +For maximum security, libxl needs to run the devicemodel for each > +domain under a user id (UID) corresponding to its domain id. There > +are 32752 possible domain IDs, and so libxl needs 32752 user ids set > +aside for it. > + > +The simplest and most effective way to do this is to allocate a > +contiguous block of UIDs, and create a single user named > +`xen-qemuuser-range-base` with the first UID. For example, under Debian: > + > + adduser --no-create-home --uid 65536 --system xen-qemuuser-range-base > + > +NOTE: Most modern systems have 32-bit UIDs, and so can in theory go up > +to 2^31 (or 2^32 if uids are unsigned). POSIX only guarantees 16-bit > +UIDs however. UID 65535 is reserved for an invalid value, and 65534 > +is normally allocated to "nobody". > + > +Another, less-secure way is to run all QEMUs as the same UID. To do > +this, create a user named `xen-qemuuser-shared`; for example: > + > + adduser --no-create-home --system xen-qemuuser-shared > + > +## Domain config changes > + > +The core domain config change is to add the following line to the > +domain configuration: > + > + dm_restrict=1 > + > +This will perform a number of restrictions, outlined below in the > +'Technical details' section. > + > +# Technical details > + > +See docs/design/qemu-deprivilege.txt for technical details. Nit... I guess you mean docs/design/qemu-deprivilege.md? Paul > + > +# Limitations > + > +The following features still need to be implemented: > + * Inserting a new cdrom while the guest is running (xl cdrom-insert) > + * Migration / save / restore > + > +Additionally, getting PCI passthrough to work securely would require a > +significant rework of how passthrough works at the moment. It may be > +implemented at some point but is not a near-term priority. > + > +# History > + > +------------------------------------------------------------------------ > +Date Revision Version Notes > +---------- -------- -------- ------------------------------------------- > +2018-09-14 1 Xen 4.12 Imported from docs/misc > +---------- -------- -------- ------------------------------------------- > diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu- > deprivilege.txt > deleted file mode 100644 > index 58b86a3908..0000000000 > --- a/docs/misc/qemu-deprivilege.txt > +++ /dev/null > @@ -1,36 +0,0 @@ > -For security reasons, libxl tries to pass a non-root username to QEMU as > -argument. During initialization QEMU calls setuid and setgid with the > -user ID and the group ID of the user passed as argument. > -Libxl looks for the following users in this order: > - > -1) a user named "xen-qemuuser-domid$domid", > -Where $domid is the domid of the domain being created. > -This requires the reservation of 65535 uids from xen-qemuuser-domid1 > -to xen-qemuuser-domid65535. To use this mechanism, you might want to > -create a large number of users at installation time. For example: > - > -for ((i=1; i<65536; i++)) > -do > - adduser --no-create-home --system xen-qemuuser-domid$i > -done > - > -You might want to consider passing --group to adduser to create a new > -group for each new user. > - > - > -2) a user named "xen-qemuuser-shared" > -As a fall back if both 1) fails, libxl will use a single user for > -all QEMU instances. The user is named xen-qemuuser-shared. This is > -less secure but still better than running QEMU as root. Using this is as > -simple as creating just one more user on your host: > - > -adduser --no-create-home --system xen-qemuuser-shared > - > - > -3) root > -As a last resort, libxl will start QEMU as root. > - > - > -Please note that running QEMU as non-root causes several features like > -migration and PCI passthrough to not work properly and may prevent the > guest > -from booting. > -- > 2.18.0 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/mailman/listinfo/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |