Lines Matching refs:to
4 example in qemu) which permits a domain to gain control of the device
10 have taken, or plan to take to effect this goal. Some of them are
11 required to be considered secure (that is, there are known attack
13 are no known attack vectors, but we perform the restrictions to reduce
22 '''Description''': As mentioned above, having QEMU switch to a
24 a compromised QEMU process can do to the system, and having one user
25 per domain id limits what a comprimised QEMU process can do to the
28 '''Implementation''': The toolstack adds the following to the qemu command-line:
32 '''How to test''':
47 '''Implementation''': Toolstack adds the following to the qemu command-line:
51 '''How to test''':
53 Use `fishdescriptor` to pull a file descriptor from a running QEMU,
54 then use `depriv-fd-checker` to check that it has the desired
55 properties, and that hypercalls which are meant to fail do fail. (In
66 it to see.
71 Then adds the following to the qemu command-line:
75 '''How to test''': Check `/proc/<qpid>/root`
86 restrictions fail, the process won't be able to even name system mount
87 points or existing non-file-based IPC descriptors to attempt to attack
92 In theory this could be done in QEMU (similar to -sandbox, -runas,
100 '''How to test''': Check `/proc/<qpid>/ns/[ipc,mnt]`
109 process / userid is allowed to consume. These can limit the ability
110 of a compromised QEMU process to DoS domain 0 by exhausting various
111 resources available to it.
116 - RLIMIT_FSIZE` (file size) to 256KiB.
125 are specified; this does not apply to QEMU running as a Xen DM.
127 '''How to test''': Check `/proc/<qpid>/limits`
134 reused. If a compromised QEMU can fork (due to seccomp or
138 question (which probably belongs to someone else).
148 - "Every process except me to which I am allowed to send a signal" (-1)
150 Targeting a single pid is racy and likely to be beaten by the
159 process id you want to kill, that process has exited and there is a
163 processes are allowed to make their own process groups.
172 ids (effective, real, and saved), it opens the 'killing' process up to
185 > For a process to have permission to send a signal to a process
190 The solution is to allocate a second "reaper" uid that is only used to kill
191 target processes. We set the euid of the killing process to the `target_uid`,
192 but the ruid of the killing process to `reaper_uid`, leaving the suid of the
199 will set *both* euid *and* suid to `target_uid`, making the killing
200 process vulnerable to the target process again.
203 either allocate a separate `reaper_uid` per domain, or use locking to
206 # Restrictions / improvements still to do
208 This lists potential restrictions still to do. It is meant to be
216 fiddles with this; it would be straightforward to make it *set* the
217 rlimit to what it thinks a sensible limit is.
222 Other things that would take some cleverness / changes to QEMU to
223 utilize due to ordering constrants:
240 '''Description''': Turn on seccomp filtering to disable syscalls which
247 `elevateprivileges` is currently required to allow `-runas` to work.
250 executing QEMU. (But this would then require other changes to create
256 to be safe and needed. This is unfortunately necessary since qemu
261 environments. We therefore need to either:
262 1. Require that this feature be enabled to build qemu
270 initialize itself and open its disks. If you want to add a disk at run
275 A further layer of restriction could be to set RLIMIT_NOFILES to '0',
281 it is not useful to pass a filename (it doesn't even have write access
285 Additionally, all the restrictions need to be applied to the qemu
286 started up on the post-migration side. One issue that needs to be
287 solved is how to signal the toolstack on restore that qemu is ready
288 for the domain to be started (since this is normally done via
294 Enter QEMU into its own network namespace (in addition to mount & IPC
314 to listen on a TCP socket outside of its own network namespace. One
315 option would be to use VNC over a UNIX socket:
320 we need to have the toolstack open a socket and pass the fd to QEMU
321 (which requires changes to QEMU).