From patchwork Thu Oct 12 11:21:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ian Jackson X-Patchwork-Id: 10001675 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 67ABA602BF for ; Thu, 12 Oct 2017 11:23:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5954B28A23 for ; Thu, 12 Oct 2017 11:23:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4DDED28D7F; Thu, 12 Oct 2017 11:23:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 870AF28A23 for ; Thu, 12 Oct 2017 11:23:39 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e2bYN-0000tg-T5; Thu, 12 Oct 2017 11:21:27 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e2bYN-0000tZ-AR for xen-devel@lists.xensource.com; Thu, 12 Oct 2017 11:21:27 +0000 Received: from [85.158.143.35] by server-2.bemta-6.messagelabs.com id 91/EE-16487-6305FD95; Thu, 12 Oct 2017 11:21:26 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDIsWRWlGSWpSXmKPExsXitHRDpK5pwP1 Ig2cfpS3uTXnP7sDosb1vF3sAYxRrZl5SfkUCa0bPxI1MBXv9Kt5+VmtgbLPvYuTgkBDwl1h7 2riLkRPI9JC4fvYEE4jNJqAr0bTlLxuILSKgLHG86QsriM0ssIlR4uKZWBBbWMBJ4sC9I2D1L AKqEsv/dTCC2LwCnhJn+7vYIGbKSZw//pMZIi4ocXLmExaIOZoSrdt/s0PY8hLNW2czg5wjJK AmMXd9PESrpcS39U+ZJzDyzULSPQtJ9ywk3QsYmVcxahSnFpWlFukaWuglFWWmZ5TkJmbm6Bo amOnlphYXJ6an5iQmFesl5+duYgSGGQMQ7GC8uTHgEKMkB5OSKO8en/uRQnxJ+SmVGYnFGfFF pTmpxYcYZTg4lCR4s/yBcoJFqempFWmZOcCAh0lLcPAoifC6gKR5iwsSc4sz0yFSpxiNOX5Mu vKHiaPj5t0/TEIsefl5qVLivOUgpQIgpRmleXCDYJF4iVFWSpiXEeg0IZ6C1KLczBJU+VeM4h yMSsK8L/yApvBk5pXA7XsFdAoT0CmiaXdATilJREhJNTC6n57BXHO4/q/zl5/mH3OdX5w3f+o n6K5z9ceb2XPi6i9fWyr2zZDrseued+LHE9wLJyhcqvu8idH2x4O6u8vtPzMHT1sXurhGxlL1 26sN7rcrwj5asRQtlrnw4X/QbuE3qxl7wyMEf9qlMP6ttRecn7vlWKl13P26Z5w65jcy7WLSM +xVUuyUWIozEg21mIuKEwH/+Pn8vwIAAA== X-Env-Sender: prvs=45190f1b3=Ian.Jackson@citrix.com X-Msg-Ref: server-8.tower-21.messagelabs.com!1507807283!76745837!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 59629 invoked from network); 12 Oct 2017 11:21:25 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-8.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 12 Oct 2017 11:21:25 -0000 X-IronPort-AV: E=Sophos;i="5.43,365,1503360000"; d="scan'208";a="445653448" X-CrossPremisesHeadersFilteredBySendConnector: FTLPEX02AMS01.citrite.net From: Ian Jackson To: Date: Thu, 12 Oct 2017 12:21:06 +0100 Message-ID: <1507807267-13709-1-git-send-email-ian.jackson@eu.citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 X-OrganizationHeadersPreserved: FTLPEX02AMS01.citrite.net Cc: Ian Jackson , Wei Liu , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Subject: [Xen-devel] [PATCH 1/2] libxl: dm_restrict: Move to domain_build_info X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Right now, this is broken because libxl__build_device_model_args_new is used also for the qemu run for pv guests for qdisk devices, pvfb, etc. We can either make this option properly HVM-specific, or make it generic. In principle it is a reasonable request, to make the PV qemu deprivileged (even though it is not likely to be implemented any time soon). So make this option generic. We retain the name "device model" even though it is arguably inaccurate, because the xl docs already say, for example For a PV guest a device-model is sometimes used to provide backends for certain PV devices The documentation patch here is pure code motion. For ease of review we will fix up the docs, so the wording to be right for the new context, in the next patch. Signed-off-by: Ian Jackson Reported-by: Roger Pau Monné Acked-by: Wei Liu --- docs/man/xl.cfg.pod.5.in | 198 ++++++++++++++++++++++---------------------- tools/libxl/libxl_create.c | 2 +- tools/libxl/libxl_dm.c | 6 +- tools/libxl/libxl_types.idl | 2 +- 4 files changed, 104 insertions(+), 104 deletions(-) diff --git a/docs/man/xl.cfg.pod.5.in b/docs/man/xl.cfg.pod.5.in index cf3fa0e..8125dfb 100644 --- a/docs/man/xl.cfg.pod.5.in +++ b/docs/man/xl.cfg.pod.5.in @@ -1270,6 +1270,105 @@ connectors=id0:1920x1080;id1:800x600;id2:640x480 =back +=item B + +Restrict the HVM device model after startup, +to limit the consequencese of security vulnerabilities in qemu. + +With this feature enabled, +a compromise of the device model, +via such a vulnerability, +will not provide a privilege escalation attack on the whole system. + +This feature is a B. +There are some significant limitations: + +=over 4 + +=item + +You must have a new enough qemu. +In particular, +if your qemu does not have the commit +B +the restriction request will be silently ineffective! + +=item + +The mechanisms used are not effective against +denial of service problems. +A compromised qemu can probably still impair +or perhaps even prevent +the proper functioning of the whole system, +(at the very least, but not limited to, +through resource exhaustion). + +=item + +It is not known whether the protection is +effective when a domain is migrated. + +=item + +Some domain management functions do not work. +For example, cdrom insert will fail. + +=item + +You should say C. +Domains with stdvga graphics cards to not work. +Domains with cirrus vga may seem to work. + +=item + +You must create user(s) for qemu to run as. + +Ideally, set aside a range of 32752 uids +(from N to N+32751) +and create a user +whose name is B +and whose uid is N +and whose gid is a plain unprivileged gid. +libxl will use one such user for each domid. + +Alternatively, either create +B +for every $domid from 1 to 32751 inclusive, +or +B +(in which case different guests will not +be protected against each other). + +=item + +There are no countermeasures taken against reuse +of the same unix user (uid) +for subsequent domains, +even if the B users are created. +So a past domain with the same domid may be able to +interferer with future domains. +Possibly, even after a reboot. + +=item + +A compromised qemu will be able to read world-readable +files in the dom0 operating system. + +=item + +Because of these limitations, this functionality, +while it may enhance your security, +should not be relied on. +Any further limitations discovered in the current version +will B be handled via the Xen Project Security Process. + +=item + +In the future as we enhance this feature to improve the security, +we may break backward compatibility. + +=back + =head2 Paravirtualised (PV) Guest Specific Options The following options apply only to Paravirtual (PV) guests. @@ -2197,105 +2296,6 @@ specified, enabling the use of XenServer PV drivers in the guest. This parameter only takes effect when device_model_version=qemu-xen. See B for more information. -=item B - -Restrict the HVM device model after startup, -to limit the consequencese of security vulnerabilities in qemu. - -With this feature enabled, -a compromise of the device model, -via such a vulnerability, -will not provide a privilege escalation attack on the whole system. - -This feature is a B. -There are some significant limitations: - -=over 4 - -=item - -You must have a new enough qemu. -In particular, -if your qemu does not have the commit -B -the restriction request will be silently ineffective! - -=item - -The mechanisms used are not effective against -denial of service problems. -A compromised qemu can probably still impair -or perhaps even prevent -the proper functioning of the whole system, -(at the very least, but not limited to, -through resource exhaustion). - -=item - -It is not known whether the protection is -effective when a domain is migrated. - -=item - -Some domain management functions do not work. -For example, cdrom insert will fail. - -=item - -You should say C. -Domains with stdvga graphics cards to not work. -Domains with cirrus vga may seem to work. - -=item - -You must create user(s) for qemu to run as. - -Ideally, set aside a range of 32752 uids -(from N to N+32751) -and create a user -whose name is B -and whose uid is N -and whose gid is a plain unprivileged gid. -libxl will use one such user for each domid. - -Alternatively, either create -B -for every $domid from 1 to 32751 inclusive, -or -B -(in which case different guests will not -be protected against each other). - -=item - -There are no countermeasures taken against reuse -of the same unix user (uid) -for subsequent domains, -even if the B users are created. -So a past domain with the same domid may be able to -interferer with future domains. -Possibly, even after a reboot. - -=item - -A compromised qemu will be able to read world-readable -files in the dom0 operating system. - -=item - -Because of these limitations, this functionality, -while it may enhance your security, -should not be relied on. -Any further limitations discovered in the current version -will B be handled via the Xen Project Security Process. - -=item - -In the future as we enhance this feature to improve the security, -we may break backward compatibility. - -=back - =back =head2 PVH Guest Specific Options diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c index 0db9c0e..f15fb21 100644 --- a/tools/libxl/libxl_create.c +++ b/tools/libxl/libxl_create.c @@ -216,6 +216,7 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc, b_info->event_channels = 1023; libxl__arch_domain_build_info_acpi_setdefault(b_info); + libxl_defbool_setdefault(&b_info->dm_restrict, false); switch (b_info->type) { case LIBXL_DOMAIN_TYPE_HVM: @@ -308,7 +309,6 @@ int libxl__domain_build_info_setdefault(libxl__gc *gc, libxl_defbool_setdefault(&b_info->u.hvm.altp2m, false); libxl_defbool_setdefault(&b_info->u.hvm.usb, false); libxl_defbool_setdefault(&b_info->u.hvm.xen_platform_pci, true); - libxl_defbool_setdefault(&b_info->u.hvm.dm_restrict, false); libxl_defbool_setdefault(&b_info->u.hvm.spice.enable, false); if (!libxl_defbool_val(b_info->u.hvm.spice.enable) && diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index 0a5b0f8..7caf471 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -642,7 +642,7 @@ static int libxl__build_device_model_args_old(libxl__gc *gc, flexarray_append(dm_args, "-nographic"); } - if (libxl_defbool_val(b_info->u.hvm.dm_restrict)) { + if (libxl_defbool_val(b_info->dm_restrict)) { LOGD(ERROR, domid, "dm_restrict not supported by qemu-xen-traditional"); return ERROR_INVAL; @@ -1421,7 +1421,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, } } - if (libxl_defbool_val(b_info->u.hvm.dm_restrict)) + if (libxl_defbool_val(b_info->dm_restrict)) flexarray_append(dm_args, "-xen-domid-restrict"); if (state->saved_state) { @@ -1653,7 +1653,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, goto end_search; } - if (!libxl_defbool_val(b_info->u.hvm.dm_restrict)) { + if (!libxl_defbool_val(b_info->dm_restrict)) { LOGD(DEBUG, guest_domid, "dm_restrict disabled, starting QEMU as root"); goto end_search; diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl index 65d32cb..a239324 100644 --- a/tools/libxl/libxl_types.idl +++ b/tools/libxl/libxl_types.idl @@ -521,6 +521,7 @@ libxl_domain_build_info = Struct("domain_build_info",[ ("timer_mode", libxl_timer_mode), ("nested_hvm", libxl_defbool), ("apic", libxl_defbool), + ("dm_restrict", libxl_defbool), ("u", KeyedUnion(None, libxl_domain_type, "type", [("hvm", Struct(None, [("firmware", string), ("bios", libxl_bios_type), @@ -580,7 +581,6 @@ libxl_domain_build_info = Struct("domain_build_info",[ ("rdm", libxl_rdm_reserve), ("rdm_mem_boundary_memkb", MemKB), ("mca_caps", uint64), - ("dm_restrict", libxl_defbool), ])), ("pv", Struct(None, [("kernel", string), ("slack_memkb", MemKB),