Re: [virtio-dev] [PATCH v5 09/10] vhost-user: intercept slave's reply to VHOST_USER_GET_PROTOCOL_FEATURES

Fri, 17 Jul 2020 08:37:25 -0700 

On 17/7/20 12:57 μ.μ., Stefan Hajnoczi wrote:


On Mon, May 18, 2020 at 11:37:20PM +0300, Nikos Dragazis wrote:

Signed-off-by: Nikos Dragazis <ndraga...@arrikto.com>
---
  virtio-vhost-user.tex | 13 +++++++++----
  1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/virtio-vhost-user.tex b/virtio-vhost-user.tex
index a673526..328baec 100644
--- a/virtio-vhost-user.tex
+++ b/virtio-vhost-user.tex
@@ -142,10 +142,15 @@ \subsubsection{Device Operation: RX/TX 
Queues}\label{sec:Device Types / Vhost-us
  message that is too large for an rxq buffer, then DEVICE_NEEDS_RESET is set 
and
  the driver must reset the device.
-File descriptor passing is handled differently by the vhost-user device 
-backend.  When a message is received that carries one or more file descriptors
-according to the vhost-user protocol, additional device resources become
-available to the driver.
+File descriptor passing is handled differently by the vhost-user device 
backend.
+When a master-initiated message is received that carries one or more file
+descriptors according to the vhost-user protocol, additional device resources
+become available to the driver.
+
+On the contrary, the slave cannot pass file descriptors to the master. For this
+reason, the vhost-user device backend MUST be intercepting the slave's reply to
+the VHOST_USER_GET_PROTOCOL_FEATURES vhost-user message and clearing these
+feature bits that allow the slave to send messages that pass file descriptors.

Please be specific about which vhost-user protocol bits are not
supported.


Currently, this goes for the VHOST_USER_PROTOCOL_F_SLAVE_SEND_FD and
VHOST_USER_PROTOCOL_F_PAGEFAULT feature bits.



Why does the virtio-vhost-user device implementation need to silently
clear those feature bits? Is there a security impact or some other
reason why the VIRTIO spec should specify this behavior?


In our setup, the slave cannot pass file descriptors to the master.
The easiest way to enforce this restriction is during feature
negotiation. The virtio-vhost-user device will mask the unsupported
feature bits and, therefore, the master will not enable these feature
bits on the slave.



Stefan


---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscr...@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-h...@lists.oasis-open.org

Reply via email to