[v1] gdbstub: Add support for info proc mappings

[PATCH RESEND 5/6] docs: Document security implications of debugging

Posted by Ilya Leoshkevich 2 years, 9 months ago

Now that the GDB stub implements reading host files, concerns may arise
that it undermines security. Document the status quo, which is that the
users are already responsible for securing the GDB connection
themselves.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
 docs/system/gdb.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/docs/system/gdb.rst b/docs/system/gdb.rst
index 453eb73f6c4..3cc5167d928 100644
--- a/docs/system/gdb.rst
+++ b/docs/system/gdb.rst
@@ -192,3 +192,18 @@ The memory mode can be checked by sending the following command:
 
 ``maintenance packet Qqemu.PhyMemMode:0``
     This will change it back to normal memory mode.
+
+Security considerations
+=======================
+
+Connecting to the GDB socket allows running arbitrary code inside the guest;
+in case of the TCG emulation, which is not considered a security boundary, this
+also means running arbitrary code on the host. Additionally, when debugging
+qemu-user, it allows directly downloading any file readable by QEMU from the
+host.
+
+The GDB socket is not protected by authentication, authorization or encryption.
+It is therefore a responsibility of the user to make sure that only authorized
+clients can connect to it, e.g., by using a unix socket with proper
+permissions, or by opening a TCP socket only on interfaces that are not
+reachable by potential attackers.
-- 
2.40.1

Re: [PATCH RESEND 5/6] docs: Document security implications of debugging

Posted by Alex Bennée 2 years, 8 months ago

Ilya Leoshkevich <iii@linux.ibm.com> writes:

> Now that the GDB stub implements reading host files, concerns may arise
> that it undermines security. Document the status quo, which is that the
> users are already responsible for securing the GDB connection
> themselves.
>
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

Re: [PATCH RESEND 5/6] docs: Document security implications of debugging

Posted by Dominik Czarnota 2 years, 8 months ago

Hi,

Just to add two cents here: the commit message is a bit not true because
the qemu-user GDB stub could always read host files by just changing the
emulated code to open and read those files. Apart from that, I like the
documentation additions.

Best regards,
Dominik 'Disconnect3d' Czarnota

On Wed, 24 May 2023 at 12:27, Alex Bennée <alex.bennee@linaro.org> wrote:

>
> Ilya Leoshkevich <iii@linux.ibm.com> writes:
>
> > Now that the GDB stub implements reading host files, concerns may arise
> > that it undermines security. Document the status quo, which is that the
> > users are already responsible for securing the GDB connection
> > themselves.
> >
> > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
>
> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
>
> --
> Alex Bennée
> Virtualisation Tech Lead @ Linaro
>

[PATCH RESEND 1/6] linux-user: Expose do_guest_openat() and do_guest_readlink()
[PATCH RESEND 2/6] gdbstub: Expose gdb_get_process() and gdb_get_first_cpu_in_process()
[PATCH RESEND 3/6] gdbstub: Report the actual qemu-user pid
[PATCH RESEND 4/6] gdbstub: Add support for info proc mappings
[PATCH RESEND 5/6] docs: Document security implications of debugging
[PATCH RESEND 6/6] tests/tcg: Add a test for info proc mappings