From nobody Thu Apr 25 22:09:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954482948772.7450344678155; Mon, 11 Oct 2021 05:14:42 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-231-9MCrj3KyNUWd4LVKVJVObQ-1; Mon, 11 Oct 2021 08:14:40 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 690D9801AA7; Mon, 11 Oct 2021 12:14:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4AB101017CE6; Mon, 11 Oct 2021 12:14:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E4DF34EA2F; Mon, 11 Oct 2021 12:14:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BCEWu9021486 for ; Mon, 11 Oct 2021 08:14:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id C406E40CFD0F; Mon, 11 Oct 2021 12:14:32 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BF1C240CFD10 for ; Mon, 11 Oct 2021 12:14:32 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A6A471066681 for ; Mon, 11 Oct 2021 12:14:32 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-597-KD96ISU4NFSGPy0U9Lh6UQ-1; Mon, 11 Oct 2021 08:14:29 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HSd072dWrzYl20 for ; Mon, 11 Oct 2021 20:09:59 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:14:26 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:14:25 +0800 X-MC-Unique: 9MCrj3KyNUWd4LVKVJVObQ-1 X-MC-Unique: KD96ISU4NFSGPy0U9Lh6UQ-1 From: Peng Liang To: Subject: [PATCH 1/2] qemu: Move pid file of pr-helper to stateDir Date: Mon, 11 Oct 2021 20:11:35 +0800 Message-ID: <20211011121136.249689-2-liangpeng10@huawei.com> In-Reply-To: <20211011121136.249689-1-liangpeng10@huawei.com> References: <20211011121136.249689-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BCEWu9021486 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954483445100001 Content-Type: text/plain; charset="utf-8" Libvirt will put the pid file of pr-helper to per-domain directory. However, the ownership of the per-domain directory is the user to run the QEMU process and the user has the write permission of the directory. If VM escape occurs, the attacker can 1. write arbitrary content to the pid file (if running QEMU using root), then the attacker can kill any process by writing appropriate pid to the pid file; 2. spoof the pid file (if running QEMU using a regular user), then the pr-helper process will never be cleared even if the VM is destroyed. So, move the pid file of pr-helper from per-domain directory to stateDir just like the pid file of the domain. Signed-off-by: Peng Liang --- src/qemu/qemu_process.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 1d0165af6daa..583f3ec76c7b 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -2859,9 +2859,11 @@ static char * qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; - const char *prdAlias =3D qemuDomainGetManagedPRAlias(); + g_autofree char *domname =3D virDomainDefGetShortName(vm->def); + g_autofree char *prdName =3D g_strdup_printf("%s-%s", domname, qemuDom= ainGetManagedPRAlias()); + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); =20 - return virPidFileBuildPath(priv->libDir, prdAlias); + return virPidFileBuildPath(cfg->stateDir, prdName); } =20 =20 --=20 2.31.1 From nobody Thu Apr 25 22:09:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954496019321.5005420210365; Mon, 11 Oct 2021 05:14:56 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-463-l9r-EaqMMuqT8PG4qno-6g-1; Mon, 11 Oct 2021 08:14:53 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EEE22362FA; Mon, 11 Oct 2021 12:14:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CF56C5C3DF; Mon, 11 Oct 2021 12:14:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9CFFE4EA30; Mon, 11 Oct 2021 12:14:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BCEj5B021537 for ; Mon, 11 Oct 2021 08:14:45 -0400 Received: by smtp.corp.redhat.com (Postfix) id AA1EB40CFD0F; Mon, 11 Oct 2021 12:14:45 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A52E940CFD10 for ; Mon, 11 Oct 2021 12:14:45 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8B34099F3A9 for ; Mon, 11 Oct 2021 12:14:45 +0000 (UTC) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-477-LmQc1QotN32zETmfYaMu3A-1; Mon, 11 Oct 2021 08:14:29 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4HSd081X7dzY4QF for ; Mon, 11 Oct 2021 20:10:00 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:14:26 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:14:26 +0800 X-MC-Unique: l9r-EaqMMuqT8PG4qno-6g-1 X-MC-Unique: LmQc1QotN32zETmfYaMu3A-1 From: Peng Liang To: Subject: [PATCH 2/2] qemu: Move pid file of virtiofsd to stateDir Date: Mon, 11 Oct 2021 20:11:36 +0800 Message-ID: <20211011121136.249689-3-liangpeng10@huawei.com> In-Reply-To: <20211011121136.249689-1-liangpeng10@huawei.com> References: <20211011121136.249689-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BCEj5B021537 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954496831100001 Content-Type: text/plain; charset="utf-8" Libvirt will put the pid file of virtiofsd to per-domain directory. However, the ownership of the per-domain directory is the user to run the QEMU process and the user has the write permission of the directory. If VM escape occurs, the attacker can 1. write arbitrary content to the pid file (if running QEMU using root), then the attacker can kill any process by writing appropriate pid to the pid file; 2. spoof the pid file (if running QEMU using a regular user), then the virtiofsd process will never be cleared even if the VM is destroyed. So, move the pid file of virtiofsd from per-domain directory to stateDir just like the pid file of the domain. Signed-off-by: Peng Liang --- src/qemu/qemu_virtiofs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 08a8b4ed42a9..e617bb65fae0 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -44,11 +44,11 @@ qemuVirtioFSCreatePidFilename(virDomainObj *vm, const char *alias) { qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *name =3D NULL; + g_autofree char *domname =3D virDomainDefGetShortName(vm->def); + g_autofree char *name =3D g_strdup_printf("%s-%s-fs", domname, alias); + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); =20 - name =3D g_strdup_printf("%s-fs", alias); - - return virPidFileBuildPath(priv->libDir, name); + return virPidFileBuildPath(cfg->stateDir, name); } =20 =20 --=20 2.31.1