From patchwork Tue Sep 27 03:06:21 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael Tinoco X-Patchwork-Id: 9351457 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6E6B16077A for ; Tue, 27 Sep 2016 03:08:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5EE0628FDC for ; Tue, 27 Sep 2016 03:08:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5334328FDE; Tue, 27 Sep 2016 03:08:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5022728FDC for ; Tue, 27 Sep 2016 03:08:41 +0000 (UTC) Received: from localhost ([::1]:47680 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boil6-00088T-BN for patchwork-qemu-devel@patchwork.kernel.org; Mon, 26 Sep 2016 23:08:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51434) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boij2-0006Pz-Ij for qemu-devel@nongnu.org; Mon, 26 Sep 2016 23:06:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boiiy-0003O4-Bo for qemu-devel@nongnu.org; Mon, 26 Sep 2016 23:06:31 -0400 Received: from mail-qt0-x22f.google.com ([2607:f8b0:400d:c0d::22f]:34466) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boiiy-0003Nm-4c for qemu-devel@nongnu.org; Mon, 26 Sep 2016 23:06:28 -0400 Received: by mail-qt0-x22f.google.com with SMTP id 38so452035qte.1 for ; Mon, 26 Sep 2016 20:06:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=g8VIgyVfW1iE8NcUJBnJsCB+o9hesnNNzqTsryJ98g4=; b=oEPHmf1JMOiaQJbM9RfBuPrpCjkmRCPepl9vZMnkSfMzoObtzzDSjZcFSbgzO17GPM DTIk2sLRaZEOx09GrwgQeaU2xnBusxi5SkHQ2ZKY3cCFEkp67Y1kP5s21rqTQPXR2QD4 ZJ9K+cprXACWAZUjqczY39CP7DEdMCJb+8mO7dUEHPnCheL1JZQenMT2i9wZQXrv81i6 xGjXyS0AL6ocOmwhPxCB8X2JdGKyUe4jOhmDWMLF9W2DZZP3+FAZTMGpnl8yh30RrMBd ZbKgkZ2ROYLQYSJQg21SnQY2Id85D7reqAWCOs5Wi2gf4Q8thVV6SpbJm+1FPgG1sZuq kE+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=g8VIgyVfW1iE8NcUJBnJsCB+o9hesnNNzqTsryJ98g4=; b=LzknqVoBuT/HvKf7irWxprquszB2zyNAIElvGcRxKwy6Pjb2kFYX4W9ATE0cRv0QM3 bbZIi9IAe/SlThQUivM4rPsXfNIxXk1KQN+BRUAA3ueqcpyiR9IWnUM4Q7kW+Z3hl5zd ifs6+jG+BHStMp/XulYUCYFMjDCvbH9kMnY6njSkUlykvLnZs7cvqEzTVZ9AETkn9oUD JsRw4k3CQsKaYuIRrw5ENnHuWaBXJj9YtKGtpRAFvrSX15eOZ7okO2HRwIr8mlSux2kj 9gMDhr3akKFAMxF13QD9wogKKY2fJLXrKpIttgC8wiwWY4yVmp9xrG0w+M5sEQDzDT2S zR+w== X-Gm-Message-State: AA6/9Rl5zN46N6cQllVYsSig1JJu8UPd72M1NwDZ2Wma1FeCshoYX4T/0KZxVQgHEQaW/LI6 X-Received: by 10.200.37.111 with SMTP id 44mr26013301qtn.17.1474945586108; Mon, 26 Sep 2016 20:06:26 -0700 (PDT) Received: from qemulivefailup.internal.cu ([167.160.113.41]) by smtp.gmail.com with ESMTPSA id b10sm101619qka.6.2016.09.26.20.06.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Sep 2016 20:06:25 -0700 (PDT) From: Rafael David Tinoco To: qemu-devel@nongnu.org Date: Tue, 27 Sep 2016 03:06:21 +0000 Message-Id: <20160927030621.20862-1-rafael.tinoco@canonical.com> X-Mailer: git-send-email 2.9.3 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2607:f8b0:400d:c0d::22f Subject: [Qemu-devel] [PATCH] util: secure memfd_create fallback mechanism X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 1626972@bugs.launchpad.net, marcandre.lureau@redhat.com, mst@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Commit: 35f9b6ef3acc9d0546c395a566b04e63ca84e302 added a fallback mechanism for systems not supporting memfd_create syscall (started being supported since 3.17). Backporting memfd_create might not be accepted for distros relying on older kernels. Nowadays there is no way for security driver to discover memfd filename to be created: /memfd-XXXXXX. It is more appropriate to include UUID and/or VM names in the temporary filename, allowing security driver rules to be applied while maintaining the required unpredictability with mkstemp. This change will allow libvirt to know exact memfd file to be created for vhost log AND to create appropriate security rules to allow access per instance (instead of a opened rule like /memfd-*). Example of apparmor deny messages with this change: Per VM UUID (preferred, generated automatically by libvirt): kernel: [26632.154856] type=1400 audit(1474945148.633:78): apparmor= "DENIED" operation="mknod" profile="libvirt-0b96011f-0dc0-44a3-92c3- 196de2efab6d" name="/tmp/memfd-0b96011f-0dc0-44a3-92c3-196de2efab6d- qeHrBV" pid=75161 comm="qemu-system-x86" requested_mask="c" denied_ mask="c" fsuid=107 ouid=107 Per VM name (if no UUID is specified): kernel: [26447.505653] type=1400 audit(1474944963.985:72): apparmor= "DENIED" operation="mknod" profile="libvirt-00000000-0000-0000-0000- 000000000000" name="/tmp/memfd-instance-teste-osYpHh" pid=74648 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 Signed-off-by: Rafael David Tinoco --- util/memfd.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/util/memfd.c b/util/memfd.c index 4571d1a..4b715ac 100644 --- a/util/memfd.c +++ b/util/memfd.c @@ -30,6 +30,9 @@ #include #include "qemu/memfd.h" +#include "qmp-commands.h" +#include "qemu-common.h" +#include "sysemu/sysemu.h" #ifdef CONFIG_MEMFD #include @@ -94,11 +97,32 @@ void *qemu_memfd_alloc(const char *name, size_t size, unsigned int seals, return NULL; } } else { + int ret = 0; const char *tmpdir = g_get_tmp_dir(); + UuidInfo *uinfo; + NameInfo *ninfo; gchar *fname; - fname = g_strdup_printf("%s/memfd-XXXXXX", tmpdir); + uinfo = qmp_query_uuid(NULL); + + ret = strcmp(uinfo->UUID, UUID_NONE); + if (ret == 0) { + ninfo = qmp_query_name(NULL); + if (ninfo->has_name) { + fname = g_strdup_printf("%s/memfd-%s-XXXXXX", tmpdir, + ninfo->name); + } else { + fname = g_strdup_printf("%s/memfd-XXXXXX", tmpdir); + } + qapi_free_NameInfo(ninfo); + } else { + fname = g_strdup_printf("%s/memfd-%s-XXXXXX", tmpdir, + uinfo->UUID); + } + mfd = mkstemp(fname); + + qapi_free_UuidInfo(uinfo); unlink(fname); g_free(fname);