subject:"\[Xen\-devel\] \[PATCH 1\/5\] docs\/qemu\-deprivilege\: Revise and update with status and future plans"

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

2018-11-02 Thread George Dunlap

[Re-sending as this mail seems to have gone missing]

> On Oct 26, 2018, at 3:52 PM, George Dunlap  wrote:
> 
> On 10/26/2018 02:45 PM, Ian Jackson wrote:
>> George Dunlap writes ("[PATCH 1/5] docs/qemu-deprivilege: Revise and update 
>> with status and future plans"):
>>> docs/qemu-deprivilege.txt had some basic instructions for using
>>> dm_restrict, but it was incomplete, misleading, and stale.
>> 
>> Thanks for the updates to the unshare stuff.
>> 
>>> +### Device Model Deprivileging
>>> +
>>> +Status, Linux: Tech Preview, with limited support
>>^
>> dom0
> 
> "Deprivileging" only makes sense in a dom0 context; the definition in
> the first paragraph should make that clear.  I think adding 'dom0' would
> confuse the issue by implying that non-dom0 deprivileging is possible.
> 
>> I think this maybe needs
>> 
>>  +Status, FreeBSD dom0: Unsupported
>> 
>> too ?  The usual default is supported and not listing it at all is
>> confusing.
> 
> Where do we say the default is supported?  I thought the default for a
> _feature_ not mentioned was "no information" (i.e., might be either
> supported or not -- if there's a question ask), and the default for a
> _configuration_ not mentioned was "unsupported".
> 
>>> +NOTE: Most modern systems have 32-bit UIDs, and so can in theory go up
>>> +to 2^31 (or 2^32 if uids are unsigned).  POSIX only guarantees 16-bit
>>> +UIDs however; UID 65535 is reserved for an invalid value, and 65534 is
>>> +normally allocated to "nobody".  Additionally, some container systems
>>> +have proposed using the upper 32 bits of the uid for a container ID.
>> ^^
>> 16
> 
> Ack
> 
>> This is a good paragraph.
>> 
>> Can I suggest we pick a different example to 65536 ?  It's visually
>> similar to the familiar values of 65534 and 65535 and abuts them.
>> 
>> osstest uses 20 but that's not a multiple of 2^16.
>> How about 131072 ?
> 
> Is the idea for making it a multiple of 2^16 that the values will then
> only take up one entry in the "container ID" space?
> 
> -George


___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

2018-10-26 Thread Ian Jackson

George Dunlap writes ("[PATCH 1/5] docs/qemu-deprivilege: Revise and update 
with status and future plans"):
> docs/qemu-deprivilege.txt had some basic instructions for using
> dm_restrict, but it was incomplete, misleading, and stale.

Thanks for the updates to the unshare stuff.

> +### Device Model Deprivileging
> +
> +Status, Linux: Tech Preview, with limited support
^
 dom0

I think this maybe needs

  +Status, FreeBSD dom0: Unsupported

too ?  The usual default is supported and not listing it at all is
confusing.

> +NOTE: Most modern systems have 32-bit UIDs, and so can in theory go up
> +to 2^31 (or 2^32 if uids are unsigned).  POSIX only guarantees 16-bit
> +UIDs however; UID 65535 is reserved for an invalid value, and 65534 is
> +normally allocated to "nobody".  Additionally, some container systems
> +have proposed using the upper 32 bits of the uid for a container ID.
 ^^
 16
This is a good paragraph.

Can I suggest we pick a different example to 65536 ?  It's visually
similar to the familiar values of 65534 and 65535 and abuts them.

osstest uses 20 but that's not a multiple of 2^16.
How about 131072 ?

Thanks,
Ian.

___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

2018-10-26 Thread George Dunlap

Ping?  It's been nearly 3 weeks with only minor review for this series.

 -George

On 10/05/2018 05:56 PM, George Dunlap wrote:
> docs/qemu-deprivilege.txt had some basic instructions for using
> dm_restrict, but it was incomplete, misleading, and stale.
> 
> Update the docs in a number of ways.
> 
> First, separate user-facing documentation and technical description
> into docs/features and docs/design, respectively.
> 
> In the feature doc:
> 
> * Introduce a section mentioning minimim versions of Linux, Xen, and
> qemu required (TBD)
> 
> * Fix the discussion of qemu userid.  Mention xen-qemuuser-range-base,
> and provide example shell code that actually has some hope of working
> (instead of failing out after creating 900 userids).
> 
> * Describe how to enable restrictions, as well as features which
> probably don't or definitely don't work.
> 
> In the design doc, introduce a "Technical Details" section which
> describes specifically what restrictions are currently done, and also
> what restrictions we are looking at doing in the future.
> 
> The idea here is that as we implement the various items for the
> future, we move them from "Restrictions still to do" to "Restrictions
> done".  This can also act as a design document -- a place for public
> discussion of what can or should be done and how.
> 
> Also add an entry to SUPPORT.md.
> 
> Signed-off-by: George Dunlap 
> ---
> Changes since v2:
> - Extraneous privcmd / evtchn instances aren't closed
> - Expand description of how to test fd deprivileging
> - Rework and clarify two namespace sections, give reference for QEMU NAK
> - Add more information about migration technical challenges
> - In UID section, mention possibility of container ID collisions.
> - Fix name of design document.
> - Add SUPPORT.md statement.  Specify Linux, to make sure that FreeBSD is
>   evaluated separately.
> - Mention that `-sandbox` is a blacklist and why
> 
> Changes since v1:
> - Break into two, and move into appropriate directories (rather than 'misc')
> - Updated version requirements
> - Distinguish between features which "don't yet work" and features which we 
> never expect to work
> - Update description of xen-restrict functionality
> - Reorder and expand further restrictions
> - Make it more clear which restrictions are available on Linux only
> - Include detailed description of how to kill a process
> - Add RLIMIT_NPROC as something we can do without further changes to qemu
> - Document the need to check for the sandbox feature before using it
> 
> Thank you to Ross Lagerwall, whose description of what XenServer is
> doing formed much of the basis for the text here.
> 
> CC: Ian Jackson 
> CC: Wei Liu 
> CC: Andrew Cooper 
> CC: Jan Beulich 
> CC: Tim Deegan 
> CC: Konrad Wilk 
> CC: Stefano Stabellini 
> CC: Julien Grall 
> CC: Anthony Perard 
> CC: Ross Lagerwall 
> ---
>  SUPPORT.md|  20 ++
>  docs/designs/qemu-deprivilege.md  | 322 ++
>  docs/features/qemu-deprivilege.pandoc |  94 
>  docs/misc/qemu-deprivilege.txt|  36 ---
>  4 files changed, 436 insertions(+), 36 deletions(-)
>  create mode 100644 docs/designs/qemu-deprivilege.md
>  create mode 100644 docs/features/qemu-deprivilege.pandoc
>  delete mode 100644 docs/misc/qemu-deprivilege.txt
> 
> diff --git a/SUPPORT.md b/SUPPORT.md
> index 3727446b83..b5e7e44fb3 100644
> --- a/SUPPORT.md
> +++ b/SUPPORT.md
> @@ -525,6 +525,26 @@ Vulnerabilities of a device model stub domain
>  to a hostile driver domain (either compromised or untrusted)
>  are excluded from security support.
>  
> +### Device Model Deprivileging
> +
> +Status, Linux: Tech Preview, with limited support
> +
> +This means adding extra restrictions to a device model running in
> +domain 0 in order to prevent a compromised device model to attack the
> +rest of the system.
> +
> +"Tech preview with limited support" means we will not issue XSAs for
> +the _additional_ functionality provided by the feature; but we will
> +issue XSAs in the event that enabling this feature opens up a security
> +hole that would not be present without the feature disabled.
> +
> +For example, while this is classified as tech preview, a bug in libxl
> +which failed to change the user ID of QEMU would not receive an XSA,
> +since without this feature the user ID wouldn't be changed. But a
> +change which made it possible for a compromised guest to read
> +arbitrary files on the host filesystem without compromising QEMU would
> +be issued an XSA, since that does weaken security.
> +
>  ### KCONFIG Expert
>  
>  Status: Experimental
> diff --git a/docs/designs/qemu-deprivilege.md 
> b/docs/designs/qemu-deprivilege.md
> new file mode 100644
> index 00..d3c6495030
> --- /dev/null
> +++ b/docs/designs/qemu-deprivilege.md
> @@ -0,0 +1,322 @@
> +# Introduction
> +
> +The goal of deprilvileging qemu is this: Even if there is a bug (for
> +example in qemu) which permits a domain to gain

[Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

2018-10-05 Thread George Dunlap

docs/qemu-deprivilege.txt had some basic instructions for using
dm_restrict, but it was incomplete, misleading, and stale.

Update the docs in a number of ways.

First, separate user-facing documentation and technical description
into docs/features and docs/design, respectively.

In the feature doc:

* Introduce a section mentioning minimim versions of Linux, Xen, and
qemu required (TBD)

* Fix the discussion of qemu userid.  Mention xen-qemuuser-range-base,
and provide example shell code that actually has some hope of working
(instead of failing out after creating 900 userids).

* Describe how to enable restrictions, as well as features which
probably don't or definitely don't work.

In the design doc, introduce a "Technical Details" section which
describes specifically what restrictions are currently done, and also
what restrictions we are looking at doing in the future.

The idea here is that as we implement the various items for the
future, we move them from "Restrictions still to do" to "Restrictions
done".  This can also act as a design document -- a place for public
discussion of what can or should be done and how.

Also add an entry to SUPPORT.md.

Signed-off-by: George Dunlap 
---
Changes since v2:
- Extraneous privcmd / evtchn instances aren't closed
- Expand description of how to test fd deprivileging
- Rework and clarify two namespace sections, give reference for QEMU NAK
- Add more information about migration technical challenges
- In UID section, mention possibility of container ID collisions.
- Fix name of design document.
- Add SUPPORT.md statement.  Specify Linux, to make sure that FreeBSD is
  evaluated separately.
- Mention that `-sandbox` is a blacklist and why

Changes since v1:
- Break into two, and move into appropriate directories (rather than 'misc')
- Updated version requirements
- Distinguish between features which "don't yet work" and features which we 
never expect to work
- Update description of xen-restrict functionality
- Reorder and expand further restrictions
- Make it more clear which restrictions are available on Linux only
- Include detailed description of how to kill a process
- Add RLIMIT_NPROC as something we can do without further changes to qemu
- Document the need to check for the sandbox feature before using it

Thank you to Ross Lagerwall, whose description of what XenServer is
doing formed much of the basis for the text here.

CC: Ian Jackson 
CC: Wei Liu 
CC: Andrew Cooper 
CC: Jan Beulich 
CC: Tim Deegan 
CC: Konrad Wilk 
CC: Stefano Stabellini 
CC: Julien Grall 
CC: Anthony Perard 
CC: Ross Lagerwall 
---
 SUPPORT.md|  20 ++
 docs/designs/qemu-deprivilege.md  | 322 ++
 docs/features/qemu-deprivilege.pandoc |  94 
 docs/misc/qemu-deprivilege.txt|  36 ---
 4 files changed, 436 insertions(+), 36 deletions(-)
 create mode 100644 docs/designs/qemu-deprivilege.md
 create mode 100644 docs/features/qemu-deprivilege.pandoc
 delete mode 100644 docs/misc/qemu-deprivilege.txt

diff --git a/SUPPORT.md b/SUPPORT.md
index 3727446b83..b5e7e44fb3 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -525,6 +525,26 @@ Vulnerabilities of a device model stub domain
 to a hostile driver domain (either compromised or untrusted)
 are excluded from security support.
 
+### Device Model Deprivileging
+
+Status, Linux: Tech Preview, with limited support
+
+This means adding extra restrictions to a device model running in
+domain 0 in order to prevent a compromised device model to attack the
+rest of the system.
+
+"Tech preview with limited support" means we will not issue XSAs for
+the _additional_ functionality provided by the feature; but we will
+issue XSAs in the event that enabling this feature opens up a security
+hole that would not be present without the feature disabled.
+
+For example, while this is classified as tech preview, a bug in libxl
+which failed to change the user ID of QEMU would not receive an XSA,
+since without this feature the user ID wouldn't be changed. But a
+change which made it possible for a compromised guest to read
+arbitrary files on the host filesystem without compromising QEMU would
+be issued an XSA, since that does weaken security.
+
 ### KCONFIG Expert
 
 Status: Experimental
diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu-deprivilege.md
new file mode 100644
index 00..d3c6495030
--- /dev/null
+++ b/docs/designs/qemu-deprivilege.md
@@ -0,0 +1,322 @@
+# Introduction
+
+The goal of deprilvileging qemu is this: Even if there is a bug (for
+example in qemu) which permits a domain to gain control of the device
+model, the compromised device model process is prevented from
+violating the system's overall security properties.  Ie, a guest
+cannot "escape" from the virtualisation by using a qemu bug.
+
+This document lists the various technical measures which we either
+have taken, or plan to take to effect this goal.  Some of them are
+required to be

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

Re: [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

[Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans

4 matches

Site Navigation

Mail list logo

Footer information