On 24.08.2025 13:16, Michael Tokarev wrote: ...
This is just a tip of the iceberg - just the very basics. Qemu can be modified to not react to QEMU_* environment variables when it detects it is running with elevated privileges, in a way similar to a shell which ignore certain env vars when run in suid mode - and this is something which definitely should be done (I'll post a simpla patch later). Maybe it should produce a big fat warning when it detects suid mode, too.
This approach turned to be quite a bit fragile. I tried to modify linux-user/main.c to ignore -options or QEMU_* environment variables. This is not difficult to do. However, - suppose the foreign suid binary being run spawns some helper binary as root still (like, to verify user's password or whatnot), - which is also foreign architecture and will also run by (another) qemu, but this time, not necessary with a good indication it's running in suid mode. We might filter these env vars, but since no other programs care for these variables, they might reappear somewhere (remember, it is the (evil) user who controls the whole environment).. so it becomes more and more fragile. So, basically, just a big fat warning when getuid() != geteuid(), and that's about it. And this will break various CIs/tests where people compare test output with saved one. Sigh. It's an interesting situation. Thanks, /mjt
