Xen project Mailing List

Re: [Xen-devel] [PATCH v4 5/6] tools/dm_depriv: Add first cut RLIMITs

To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Tue, 6 Nov 2018 10:39:24 +0000

Autocrypt: addr=george.dunlap@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFPqG+MBEACwPYTQpHepyshcufo0dVmqxDo917iWPslB8lauFxVf4WZtGvQSsKStHJSj 92Qkxp4CH2DwudI8qpVbnWCXsZxodDWac9c3PordLwz5/XL41LevEoM3NWRm5TNgJ3ckPA+J K5OfSK04QtmwSHFP3G/SXDJpGs+oDJgASta2AOl9vPV+t3xG6xyfa2NMGn9wmEvvVMD44Z7R W3RhZPn/NEZ5gaJhIUMgTChGwwWDOX0YPY19vcy5fT4bTIxvoZsLOkLSGoZb/jHIzkAAznug Q7PPeZJ1kXpbW9EHHaUHiCD9C87dMyty0N3TmWfp0VvBCaw32yFtM9jUgB7UVneoZUMUKeHA fgIXhJ7I7JFmw3J0PjGLxCLHf2Q5JOD8jeEXpdxugqF7B/fWYYmyIgwKutiGZeoPhl9c/7RE Bf6f9Qv4AtQoJwtLw6+5pDXsTD5q/GwhPjt7ohF7aQZTMMHhZuS52/izKhDzIufl6uiqUBge 0lqG+/ViLKwCkxHDREuSUTtfjRc9/AoAt2V2HOfgKORSCjFC1eI0+8UMxlfdq2z1AAchinU0 eSkRpX2An3CPEjgGFmu2Je4a/R/Kd6nGU8AFaE8ta0oq5BSFDRYdcKchw4TSxetkG6iUtqOO ZFS7VAdF00eqFJNQpi6IUQryhnrOByw+zSobqlOPUO7XC5fjnwARAQABzSRHZW9yZ2UgVy4g RHVubGFwIDxkdW5sYXBnQHVtaWNoLmVkdT7CwYAEEwEKACoCGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEFAlpk2IEFCQo9I54ACgkQpjY8MQWQtG1A1BAAnc0oX3+M/jyv4j/ESJTO U2JhuWUWV6NFuzU10pUmMqpgQtiVEVU2QbCvTcZS1U/S6bqAUoiWQreDMSSgGH3a3BmRNi8n HKtarJqyK81aERM2HrjYkC1ZlRYG+jS8oWzzQrCQiTwn3eFLJrHjqowTbwahoiMw/nJ+OrZO /VXLfNeaxA5GF6emwgbpshwaUtESQ/MC5hFAFmUBZKAxp9CXG2ZhTP6ROV4fwhpnHaz8z+BT NQz8YwA4gkmFJbDUA9I0Cm9D/EZscrCGMeaVvcyldbMhWS+aH8nbqv6brhgbJEQS22eKCZDD J/ng5ea25QnS0fqu3bMrH39tDqeh7rVnt8Yu/YgOwc3XmgzmAhIDyzSinYEWJ1FkOVpIbGl9 uR6seRsfJmUK84KCScjkBhMKTOixWgNEQ/zTcLUsfTh6KQdLTn083Q5aFxWOIal2hiy9UyqR VQydowXy4Xx58rqvZjuYzdGDdAUlZ+D2O3Jp28ez5SikA/ZaaoGI9S1VWvQsQdzNfD2D+xfL qfd9yv7gko9eTJzv5zFr2MedtRb/nCrMTnvLkwNX4abB5+19JGneeRU4jy7yDYAhUXcI/waS /hHioT9MOjMh+DoLCgeZJYaOcgQdORY/IclLiLq4yFnG+4Ocft8igp79dbYYHkAkmC9te/2x Kq9nEd0Hg288EO/OwE0EVFq6vQEIAO2idItaUEplEemV2Q9mBA8YmtgckdLmaE0uzdDWL9To 1PL+qdNe7tBXKOfkKI7v32fe0nB4aecRlQJOZMWQRQ0+KLyXdJyHkq9221sHzcxsdcGs7X3c 17ep9zASq+wIYqAdZvr7pN9a3nVHZ4W7bzezuNDAvn4EpOf/o0RsWNyDlT6KECs1DuzOdRqD oOMJfYmtx9hMzqBoTdr6U20/KgnC/dmWWcJAUZXaAFp+3NYRCkk7k939VaUpoY519CeLrymd Vdke66KCiWBQXMkgtMGvGk5gLQLy4H3KXvpXoDrYKgysy7jeOccxI8owoiOdtbfM8TTDyWPR Ygjzb9LApA8AEQEAAcLBZQQYAQoADwIbDAUCWmTXMwUJB+tP9gAKCRCmNjwxBZC0bb+2D/9h jn1k5WcRHlu19WGuH6q0Kgm1LRT7PnnSz904igHNElMB5a7wRjw5kdNwU3sRm2nnmHeOJH8k Yj2Hn1QgX5SqQsysWTHWOEseGeoXydx9zZZkt3oQJM+9NV1VjK0bOXwqhiQyEUWz5/9l467F S/k4FJ5CHNRumvhLa0l2HEEu5pxq463HQZHDt4YE/9Y74eXOnYCB4nrYxQD/GSXEZvWryEWr eDoaFqzq1TKtzHhFgQG7yFUEepxLRUUtYsEpT6Rks2l4LCqG3hVD0URFIiTyuxJx3VC2Ta4L H3hxQtiaIpuXqq2D4z63h6vCx2wxfZc/WRHGbr4NAlB81l35Q/UHyMocVuYLj0llF0rwU4Aj iKZ5qWNSEdvEpL43fTvZYxQhDCjQTKbb38omu5P4kOf1HT7s+kmQKRtiLBlqHzK17D4K/180 ADw7a3gnmr5RumcZP3NGSSZA6jP5vNqQpNu4gqrPFWNQKQcW8HBiYFgq6SoLQQWbRxJDHvTR YJ2ms7oCe870gh4D1wFFqTLeyXiVqjddENGNaP8ZlCDw6EU82N8Bn5LXKjR1GWo2UK3CjrkH pTt3YYZvrhS2MO2EYEcWjyu6LALF/lS6z6LKeQZ+t9AdQUcILlrx9IxqXv6GvAoBLJY1jjGB q+/kRPrWXpoaQn7FXWGfMqU+NkY9enyrlw==

Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>

Delivery-date: Tue, 06 Nov 2018 10:39:37 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 11/06/2018 09:22 AM, Paul Durrant wrote: >> -----Original Message----- >> From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf >> Of George Dunlap >> Sent: 05 November 2018 18:07 >> To: xen-devel@xxxxxxxxxxxxxxxxxxxx >> Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>; Ian Jackson >> <Ian.Jackson@xxxxxxxxxx>; Wei Liu <wei.liu2@xxxxxxxxxx>; George Dunlap >> <George.Dunlap@xxxxxxxxxx> >> Subject: [Xen-devel] [PATCH v4 5/6] tools/dm_depriv: Add first cut RLIMITs >> >> Limit the ability of a potentially compromised QEMU to consume system >> resources. Key limits: >> - RLIMIT_FSIZE (file size): 256KiB >> - RLIMIT_NPROC (after uid changes to a unique uid) >> >> Probably unnecessary limits but why not: >> - RLIMIT_CORE: 0 >> - RLIMIT_MSGQUEUE: 0 >> - RLIMIT_LOCKS: 0 >> - RLIMIT_MEMLOCK: 0 >> >> NB that we do not yet set RLIMIT_AS (total virtual memory) or >> RLIMIT_NOFILES (number of open files), since these require more care >> and/or more coordination with QEMU to implement. >> >> Suggested-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> >> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> >> --- >> Changes since v3: >> - Align RLIMIT_ENTRY list for easier reading >> - Fix wrong format string specifier >> - Get rid of some trailing whitespace >> >> Changes since v2: >> - Use a macro to define rlimit entries >> - Use RLIMIT_NLIMITS as an end-of-list marker, rather than -1 >> - Various style clean-ups >> >> CC: Ian Jackson <ian.jackson@xxxxxxxxxx> >> CC: Wei Liu <wei.liu2@xxxxxxxxxx> >> CC: Anthony Perard <anthony.perard@xxxxxxxxxx> >> --- >> docs/designs/qemu-deprivilege.md | 12 ++++----- >> tools/libxl/libxl_linux.c | 42 ++++++++++++++++++++++++++++++-- >> 2 files changed, 46 insertions(+), 8 deletions(-) >> >> diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu- >> deprivilege.md >> index a461ebbadd..e984064da6 100644 >> --- a/docs/designs/qemu-deprivilege.md >> +++ b/docs/designs/qemu-deprivilege.md >> @@ -105,12 +105,6 @@ call: >> >> [qemu-namespaces]: https://lists.gnu.org/archive/html/qemu-devel/2017- >> 10/msg04723.html >> >> -# Restrictions / improvements still to do >> - >> -This lists potential restrictions still to do. It is meant to be >> -listed in order of ease of implementation, with low-hanging fruit >> -first. >> - >> ### Basic RLIMITs >> >> '''Description''': A number of limits on the resources that a given >> @@ -137,6 +131,12 @@ are specified; this does not apply to QEMU running as >> a Xen DM. >> >> '''Tested''': Not tested >> >> +# Restrictions / improvements still to do >> + >> +This lists potential restrictions still to do. It is meant to be >> +listed in order of ease of implementation, with low-hanging fruit >> +first. >> + >> ### Further RLIMITs >> >> RLIMIT_AS limits the total amount of memory; but this includes the >> diff --git a/tools/libxl/libxl_linux.c b/tools/libxl/libxl_linux.c >> index c7a345f4bb..ac9526d731 100644 >> --- a/tools/libxl/libxl_linux.c >> +++ b/tools/libxl/libxl_linux.c >> @@ -12,11 +12,12 @@ >> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> * GNU Lesser General Public License for more details. >> */ >> - >> + > > Stray whitespace change? Got rid of trailing witespace; I mentioned it under "Changes since v3". >> #include "libxl_osdeps.h" /* must come before any other headers */ >> >> #include "libxl_internal.h" >> - >> +#include <sys/resource.h> >> + > > Personally I tend to put local includes after ones from the include path. Is > there a reason it needs to come afterwards? No reason; just habit to add things to the end. I'll move it earlier unless Ian objects. >> +static struct { >> + int resource; >> + rlim_t limit; >> +} rlimits[] = { >> +#define RLIMIT_ENTRY(r, l) \ >> + { .resource = r, .limit = l } >> + /* Big enough for log files, not big enough for a DoS */ >> + RLIMIT_ENTRY(RLIMIT_FSIZE, 256*1024), >> + >> + /* Shouldn't need any of these */ >> + RLIMIT_ENTRY(RLIMIT_NPROC, 0), >> + RLIMIT_ENTRY(RLIMIT_CORE, 0), >> + RLIMIT_ENTRY(RLIMIT_MSGQUEUE, 0), >> + RLIMIT_ENTRY(RLIMIT_LOCKS, 0), >> + RLIMIT_ENTRY(RLIMIT_MEMLOCK, 0), >> + >> + /* End-of-list marker */ >> + RLIMIT_ENTRY(RLIMIT_NLIMITS, 0), >> +}; >> +#undef RLIMIT_ENTRY > > <pedantic> The undef should come before the brace to get the scoping correct. > </pedantic> Sure. >> + >> int libxl__local_dm_preexec_restrict(libxl__gc *gc) >> { >> int r; >> + unsigned i; >> >> /* Unshare mount and IPC namespaces. These are unused by QEMU. */ >> r = unshare(CLONE_NEWNS | CLONE_NEWIPC); >> @@ -318,6 +341,21 @@ int libxl__local_dm_preexec_restrict(libxl__gc *gc) >> return ERROR_FAIL; >> } >> >> + /* Set various "easy" rlimits */ >> + for (i = 0; rlimits[i].resource != RLIMIT_NLIMITS; i++) { >> + struct rlimit rlim; >> + >> + rlim.rlim_cur = rlim.rlim_max = rlimits[i].limit; >> + >> + r = setrlimit(rlimits[i].resource, &rlim); >> + if (r < 0) { >> + LOGE(ERROR, "Setting rlimit %d to %llu failed\n", >> + rlimits[i].resource, >> + (unsigned long long)rlimits[i].limit); > > Indentation of the continuation lines looks odd (although libxl's coding > style is a mystery to me so they may be correct). Don't think it says anything about this case; I find having the arguments indented beyond the format string easier to read. -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.