From nobody Sun May 5 21:08:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 163454905896662.759348949820605; Mon, 18 Oct 2021 02:24:18 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-339-YIauW1Y9O4y3AqCiU6QpWA-1; Mon, 18 Oct 2021 05:24:14 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B9DA4809CD6; Mon, 18 Oct 2021 09:24:08 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 33362101E59B; Mon, 18 Oct 2021 09:24:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CA7AA1806D03; Mon, 18 Oct 2021 09:24:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19I9O46d027424 for ; Mon, 18 Oct 2021 05:24:04 -0400 Received: by smtp.corp.redhat.com (Postfix) id F2AF540D1B9E; Mon, 18 Oct 2021 09:24:03 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EF36840D1B9D for ; Mon, 18 Oct 2021 09:24:03 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D738A800B24 for ; Mon, 18 Oct 2021 09:24:03 +0000 (UTC) Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-594-nOYOV7AXOnSThMy7ZIGySw-1; Mon, 18 Oct 2021 05:24:01 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.56]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4HXrxK5whsz1DFgg for ; Mon, 18 Oct 2021 17:22:13 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.15; Mon, 18 Oct 2021 17:23:57 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Mon, 18 Oct 2021 17:23:57 +0800 X-MC-Unique: YIauW1Y9O4y3AqCiU6QpWA-1 X-MC-Unique: nOYOV7AXOnSThMy7ZIGySw-1 From: Peng Liang To: Subject: [PATCH v2 1/2] qemu: Move pid file of pr-helper to stateDir Date: Mon, 18 Oct 2021 17:20:11 +0800 Message-ID: <20211018092012.2017389-2-liangpeng10@huawei.com> In-Reply-To: <20211018092012.2017389-1-liangpeng10@huawei.com> References: <20211018092012.2017389-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19I9O46d027424 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1634549060147100001 Content-Type: text/plain; charset="utf-8" Libvirt will put the pid file of pr-helper to per-domain directory. However, the ownership of the per-domain directory is the user to run the QEMU process and the user has the write permission of the directory. If VM escape occurs, the attacker can 1. write arbitrary content to the pid file (if running QEMU using root), then the attacker can kill any process by writing appropriate pid to the pid file; 2. spoof the pid file (if running QEMU using a regular user), then the pr-helper process will never be cleared even if the VM is destroyed. So, move the pid file of pr-helper from per-domain directory to stateDir. Signed-off-by: Peng Liang Reviewed-by: Michal Privoznik --- src/qemu/qemu_process.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index f95ed80fac43..6027b30405dc 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -2856,7 +2856,7 @@ qemuProcessResctrlCreate(virQEMUDriver *driver, =20 =20 static char * -qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm) +qemuProcessBuildPRHelperPidfilePathOld(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; const char *prdAlias =3D qemuDomainGetManagedPRAlias(); @@ -2865,6 +2865,18 @@ qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm) } =20 =20 +static char * +qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + g_autofree char *domname =3D virDomainDefGetShortName(vm->def); + g_autofree char *prdName =3D g_strdup_printf("%s-%s", domname, qemuDom= ainGetManagedPRAlias()); + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); + + return virPidFileBuildPath(cfg->stateDir, prdName); +} + + void qemuProcessKillManagedPRDaemon(virDomainObj *vm) { @@ -2877,6 +2889,14 @@ qemuProcessKillManagedPRDaemon(virDomainObj *vm) return; } =20 + if (!virFileExists(pidfile)) { + g_free(pidfile); + if (!(pidfile =3D qemuProcessBuildPRHelperPidfilePathOld(vm))) { + VIR_WARN("Unable to construct pr-helper pidfile path"); + return; + } + } + virErrorPreserveLast(&orig_err); if (virPidFileForceCleanupPath(pidfile) < 0) { VIR_WARN("Unable to kill pr-helper process"); --=20 2.31.1 From nobody Sun May 5 21:08:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1634549067301678.5324096157585; Mon, 18 Oct 2021 02:24:27 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-554-Qm09VWNTPZiu6L0T2Fus-w-1; Mon, 18 Oct 2021 05:24:22 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7C897800685; Mon, 18 Oct 2021 09:24:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 34BB31980E; Mon, 18 Oct 2021 09:24:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EFEEF4EA2F; Mon, 18 Oct 2021 09:24:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19I9OAWv027443 for ; Mon, 18 Oct 2021 05:24:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 01CCA40CFD0B; Mon, 18 Oct 2021 09:24:10 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F0DF740CFD04 for ; Mon, 18 Oct 2021 09:24:09 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D3A66811E80 for ; Mon, 18 Oct 2021 09:24:09 +0000 (UTC) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-348-36hYAwcHMjSOVVQ3X77GZQ-1; Mon, 18 Oct 2021 05:24:07 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4HXrxN2pGnzWknk for ; Mon, 18 Oct 2021 17:22:16 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.15; Mon, 18 Oct 2021 17:24:00 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Mon, 18 Oct 2021 17:24:00 +0800 X-MC-Unique: Qm09VWNTPZiu6L0T2Fus-w-1 X-MC-Unique: 36hYAwcHMjSOVVQ3X77GZQ-1 From: Peng Liang To: Subject: [PATCH v2 2/2] qemu: Move pid file of virtiofsd to stateDir Date: Mon, 18 Oct 2021 17:20:12 +0800 Message-ID: <20211018092012.2017389-3-liangpeng10@huawei.com> In-Reply-To: <20211018092012.2017389-1-liangpeng10@huawei.com> References: <20211018092012.2017389-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19I9OAWv027443 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1634549068713100003 Content-Type: text/plain; charset="utf-8" Libvirt will put the pid file of virtiofsd to per-domain directory. However, the ownership of the per-domain directory is the user to run the QEMU process and the user has the write permission of the directory. If VM escape occurs, the attacker can 1. write arbitrary content to the pid file (if running QEMU using root), then the attacker can kill any process by writing appropriate pid to the pid file; 2. spoof the pid file (if running QEMU using a regular user), then the virtiofsd process will never be cleared even if the VM is destroyed. So, move the pid file of virtiofsd from per-domain directory to stateDir. Signed-off-by: Peng Liang Reviewed-by: Michal Privoznik --- src/qemu/qemu_virtiofs.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 3ca45457c16e..0c12c5ea22a6 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -39,9 +39,9 @@ VIR_LOG_INIT("qemu.virtiofs"); =20 =20 -char * -qemuVirtioFSCreatePidFilename(virDomainObj *vm, - const char *alias) +static char * +qemuVirtioFSCreatePidFilenameOld(virDomainObj *vm, + const char *alias) { qemuDomainObjPrivate *priv =3D vm->privateData; g_autofree char *name =3D NULL; @@ -52,6 +52,19 @@ qemuVirtioFSCreatePidFilename(virDomainObj *vm, } =20 =20 +char * +qemuVirtioFSCreatePidFilename(virDomainObj *vm, + const char *alias) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + g_autofree char *domname =3D virDomainDefGetShortName(vm->def); + g_autofree char *name =3D g_strdup_printf("%s-%s-fs", domname, alias); + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); + + return virPidFileBuildPath(cfg->stateDir, name); +} + + char * qemuVirtioFSCreateSocketFilename(virDomainObj *vm, const char *alias) @@ -283,6 +296,12 @@ qemuVirtioFSStop(virQEMUDriver *driver G_GNUC_UNUSED, if (!(pidfile =3D qemuVirtioFSCreatePidFilename(vm, fs->info.alias))) goto cleanup; =20 + if (!virFileExists(pidfile)) { + g_free(pidfile); + if (!(pidfile =3D qemuVirtioFSCreatePidFilenameOld(vm, fs->info.al= ias))) + goto cleanup; + } + if (virPidFileForceCleanupPathFull(pidfile, true) < 0) { VIR_WARN("Unable to kill virtiofsd process"); } else { --=20 2.31.1