[056/104] virtiofsd: add security guide document

Message ID	20191212163904.159893-57-dgilbert@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com> To: qemu-devel@nongnu.org, stefanha@redhat.com, vgoyal@redhat.com Subject: [PATCH 056/104] virtiofsd: add security guide document Date: Thu, 12 Dec 2019 16:38:16 +0000 Message-Id: <20191212163904.159893-57-dgilbert@redhat.com> In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com> References: <20191212163904.159893-1-dgilbert@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	virtiofs daemon [all] \| expand [000/104] virtiofs daemon [all] [001/104] virtiofsd: Pull in upstream headers [002/104] virtiofsd: Pull in kernel's fuse.h [003/104] virtiofsd: Add auxiliary .c's [004/104] virtiofsd: Add fuse_lowlevel.c [005/104] virtiofsd: Add passthrough_ll [006/104] virtiofsd: Trim down imported files [007/104] virtiofsd: Format imported files to qemu style [008/104] virtiofsd: remove mountpoint dummy argument [009/104] virtiofsd: remove unused notify reply support [010/104] virtiofsd: Fix fuse_daemonize ignored return values [011/104] virtiofsd: Fix common header and define for QEMU builds [012/104] virtiofsd: Trim out compatibility code [013/104] virtiofsd: Make fsync work even if only inode is passed in [014/104] virtiofsd: Add options for virtio [015/104] virtiofsd: add -o source=PATH to help output [016/104] virtiofsd: Open vhost connection instead of mounting [017/104] virtiofsd: Start wiring up vhost-user [018/104] virtiofsd: Add main virtio loop [019/104] virtiofsd: get/set features callbacks [020/104] virtiofsd: Start queue threads [021/104] virtiofsd: Poll kick_fd for queue [022/104] virtiofsd: Start reading commands from queue [023/104] virtiofsd: Send replies to messages [024/104] virtiofsd: Keep track of replies [025/104] virtiofsd: Add Makefile wiring for virtiofsd contrib [026/104] virtiofsd: Fast path for virtio read [027/104] virtiofsd: add --fd=FDNUM fd passing option [028/104] virtiofsd: make -f (foreground) the default [029/104] virtiofsd: add vhost-user.json file [030/104] virtiofsd: add --print-capabilities option [031/104] virtiofs: Add maintainers entry [032/104] virtiofsd: passthrough_ll: create new files in caller's context [033/104] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection [034/104] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers [035/104] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers [036/104] virtiofsd: passthrough_ll: add fd_map to hide file descriptors [037/104] virtiofsd: passthrough_ll: add fallback for racy ops [038/104] virtiofsd: validate path components [039/104] virtiofsd: Plumb fuse_bufvec through to do_write_buf [040/104] virtiofsd: Pass write iov's all the way through [041/104] virtiofsd: add fuse_mbuf_iter API [042/104] virtiofsd: validate input buffer sizes in do_write_buf() [043/104] virtiofsd: check input buffer size in fuse_lowlevel.c ops [044/104] virtiofsd: prevent ".." escape in lo_do_lookup() [045/104] virtiofsd: prevent ".." escape in lo_do_readdir() [046/104] virtiofsd: use /proc/self/fd/ O_PATH file descriptor [047/104] virtiofsd: sandbox mount namespace [048/104] virtiofsd: move to an empty network namespace [049/104] virtiofsd: move to a new pid namespace [050/104] virtiofsd: add seccomp whitelist [051/104] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV [052/104] virtiofsd: cap-ng helpers [053/104] virtiofsd: Drop CAP_FSETID if client asked for it [054/104] virtiofsd: set maximum RLIMIT_NOFILE limit [055/104] virtiofsd: fix libfuse information leaks [056/104] virtiofsd: add security guide document [057/104] virtiofsd: add --syslog command-line option [058/104] virtiofsd: print log only when priority is high enough [059/104] virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level [060/104] virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level [061/104] virtiofsd: Handle reinit [062/104] virtiofsd: Handle hard reboot [063/104] virtiofsd: Kill threads when queues are stopped [064/104] vhost-user: Print unexpected slave message types [065/104] contrib/libvhost-user: Protect slave fd with mutex [066/104] virtiofsd: passthrough_ll: add renameat2 support [067/104] virtiofsd: passthrough_ll: disable readdirplus on cache=never [068/104] virtiofsd: passthrough_ll: control readdirplus [069/104] virtiofsd: rename unref_inode() to unref_inode_lolocked() [070/104] virtiofsd: fail when parent inode isn't known in lo_do_lookup() [071/104] virtiofsd: extract root inode init into setup_root() [072/104] virtiofsd: passthrough_ll: fix refcounting on remove/rename [073/104] virtiofsd: passthrough_ll: clean up cache related options [074/104] virtiofsd: passthrough_ll: use hashtable [075/104] virtiofsd: Clean up inodes on destroy [076/104] virtiofsd: support nanosecond resolution for file timestamp [077/104] virtiofsd: fix error handling in main() [078/104] virtiofsd: cleanup allocated resource in se [079/104] virtiofsd: fix memory leak on lo.source [080/104] virtiofsd: add helper for lo_data cleanup [081/104] virtiofsd: Prevent multiply running with same vhost_user_socket [082/104] virtiofsd: enable PARALLEL_DIROPS during INIT [083/104] virtiofsd: fix incorrect error handling in lo_do_lookup [084/104] Virtiofsd: fix memory leak on fuse queueinfo [085/104] virtiofsd: Support remote posix locks [086/104] virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy() [087/104] virtiofsd: prevent fv_queue_thread() vs virtio_loop() races [088/104] virtiofsd: make lo_release() atomic [089/104] virtiofsd: prevent races with lo_dirp_put() [090/104] virtiofsd: rename inode->refcount to inode->nlookup [091/104] libvhost-user: Fix some memtable remap cases [092/104] virtiofsd: add man page [093/104] virtiofsd: introduce inode refcount to prevent use-after-free [094/104] virtiofsd: do not always set FUSE_FLOCK_LOCKS [095/104] virtiofsd: convert more fprintf and perror to use fuse log infra [096/104] virtiofsd: Reset O_DIRECT flag during file open [097/104] virtiofsd: Fix data corruption with O_APPEND wirte in writeback mode [098/104] virtiofsd: add definition of fuse_buf_writev() [099/104] virtiofsd: use fuse_buf_writev to replace fuse_buf_write for better performance [100/104] virtiofsd: process requests in a thread pool [101/104] virtiofsd: prevent FUSE_INIT/FUSE_DESTROY races [102/104] virtiofsd: fix lo_destroy() resource leaks [103/104] virtiofsd: add --thread-pool-size=NUM option [104/104] virtiofsd: Convert lo_destroy to take the lo->mutex lock itself [105/104] virtiofsd: Unref old/new inodes with the same mutex lock in lo_rename()

Message ID

20191212163904.159893-57-dgilbert@redhat.com

State

New

Headers

From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org,
	stefanha@redhat.com,
	vgoyal@redhat.com
Subject: [PATCH 056/104] virtiofsd: add security guide document
Date: Thu, 12 Dec 2019 16:38:16 +0000
Message-Id: <20191212163904.159893-57-dgilbert@redhat.com>
In-Reply-To: <20191212163904.159893-1-dgilbert@redhat.com>
References: <20191212163904.159893-1-dgilbert@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

virtiofs daemon [all] | expand

Commit Message

Dr. David Alan Gilbert Dec. 12, 2019, 4:38 p.m. UTC

From: Stefan Hajnoczi <stefanha@redhat.com>

Many people want to know: what's up with virtiofsd and security?  This
document provides the answers!

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tools/virtiofsd/security.rst | 118 +++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 tools/virtiofsd/security.rst

Comments

Daniel P. Berrangé Jan. 6, 2020, 3:03 p.m. UTC | #1

On Thu, Dec 12, 2019 at 04:38:16PM +0000, Dr. David Alan Gilbert (git) wrote:
> From: Stefan Hajnoczi <stefanha@redhat.com>
> 
> Many people want to know: what's up with virtiofsd and security?  This
> document provides the answers!
> 
> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> ---
>  tools/virtiofsd/security.rst | 118 +++++++++++++++++++++++++++++++++++

Do we need to link this into the rest of QEMU's docs in some
index page ?

>  1 file changed, 118 insertions(+)
>  create mode 100644 tools/virtiofsd/security.rst

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel

Dr. David Alan Gilbert Jan. 6, 2020, 5:53 p.m. UTC | #2

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Thu, Dec 12, 2019 at 04:38:16PM +0000, Dr. David Alan Gilbert (git) wrote:
> > From: Stefan Hajnoczi <stefanha@redhat.com>
> > 
> > Many people want to know: what's up with virtiofsd and security?  This
> > document provides the answers!
> > 
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > ---
> >  tools/virtiofsd/security.rst | 118 +++++++++++++++++++++++++++++++++++
> 
> Do we need to link this into the rest of QEMU's docs in some
> index page ?

I wonder how;  there's a autogenerated thing in
  docs/index.rst

that includes some of the docs directories subdirectories/index
Does that mean we should have this in docs/tools/virtiofsd/security.rst
and a docs/tools/index  and a docs/tools/virtiofsd/index  ?

> >  1 file changed, 118 insertions(+)
> >  create mode 100644 tools/virtiofsd/security.rst
> 
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Thanks!

Dave

> 
> 
> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Daniel P. Berrangé Jan. 7, 2020, 10:05 a.m. UTC | #3

On Mon, Jan 06, 2020 at 05:53:55PM +0000, Dr. David Alan Gilbert wrote:
> * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > On Thu, Dec 12, 2019 at 04:38:16PM +0000, Dr. David Alan Gilbert (git) wrote:
> > > From: Stefan Hajnoczi <stefanha@redhat.com>
> > > 
> > > Many people want to know: what's up with virtiofsd and security?  This
> > > document provides the answers!
> > > 
> > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > > ---
> > >  tools/virtiofsd/security.rst | 118 +++++++++++++++++++++++++++++++++++
> > 
> > Do we need to link this into the rest of QEMU's docs in some
> > index page ?
> 
> I wonder how;  there's a autogenerated thing in
>   docs/index.rst
> 
> that includes some of the docs directories subdirectories/index
> Does that mean we should have this in docs/tools/virtiofsd/security.rst
> and a docs/tools/index  and a docs/tools/virtiofsd/index  ?

I was wondering if this fits into any of the current three sections
"devel" or "interop" or "specs", but it doesn't feel quite right in
any of them to me. So having a new docs/tools subtree looks like an
ok idea in absence of better suggestions.

Regards,
Daniel

Dr. David Alan Gilbert Jan. 9, 2020, 5:02 p.m. UTC | #4

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> On Mon, Jan 06, 2020 at 05:53:55PM +0000, Dr. David Alan Gilbert wrote:
> > * Daniel P. Berrangé (berrange@redhat.com) wrote:
> > > On Thu, Dec 12, 2019 at 04:38:16PM +0000, Dr. David Alan Gilbert (git) wrote:
> > > > From: Stefan Hajnoczi <stefanha@redhat.com>
> > > > 
> > > > Many people want to know: what's up with virtiofsd and security?  This
> > > > document provides the answers!
> > > > 
> > > > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > > > ---
> > > >  tools/virtiofsd/security.rst | 118 +++++++++++++++++++++++++++++++++++
> > > 
> > > Do we need to link this into the rest of QEMU's docs in some
> > > index page ?
> > 
> > I wonder how;  there's a autogenerated thing in
> >   docs/index.rst
> > 
> > that includes some of the docs directories subdirectories/index
> > Does that mean we should have this in docs/tools/virtiofsd/security.rst
> > and a docs/tools/index  and a docs/tools/virtiofsd/index  ?
> 
> I was wondering if this fits into any of the current three sections
> "devel" or "interop" or "specs", but it doesn't feel quite right in
> any of them to me. So having a new docs/tools subtree looks like an
> ok idea in absence of better suggestions.

OK, so what I've done is I've added a preceding patch that creates:

   docs/tools
             /conf.py
             /index.rst

  and adds it to the Makefile and docs/index.rst 

and then this patch now adds itself as docs/tools/virtiofsd-security.rst
and just adds the entry in docs/tools/index.rst

Dave

> Regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

diff --git a/tools/virtiofsd/security.rst b/tools/virtiofsd/security.rst
new file mode 100644
index 0000000000..61ce551344
--- /dev/null
+++ b/tools/virtiofsd/security.rst
@@ -0,0 +1,118 @@ 
+========================
+Virtiofsd Security Guide
+========================
+
+Introduction
+============
+This document covers security topics for users of virtiofsd, the daemon that
+implements host<->guest file system sharing.  Sharing files between one or more
+guests and the host raises questions about the trust relationships between
+these entities.  By understanding these topics users can safely deploy
+virtiofsd and control access to their data.
+
+Architecture
+============
+The virtiofsd daemon process acts as a vhost-user device backend, implementing
+the virtio-fs device that the corresponding device driver inside the guest
+interacts with.
+
+There is one virtiofsd process per virtio-fs device instance.  For example,
+when two guests have access to the same shared directory there are still two
+virtiofsd processes since there are two virtio-fs device instances.  Similarly,
+if one guest has access to two shared directories, there are two virtiofsd
+processes since there are two virtio-fs device instances.
+
+Files are created on the host with uid/gid values provided by the guest.
+Furthermore, virtiofsd is unable to enforce file permissions since guests have
+the ability to access any file within the shared directory.  File permissions
+are implemented in the guest, just like with traditional local file systems.
+
+Security Requirements
+=====================
+Guests have root access to the shared directory.  This is necessary for root
+file systems on virtio-fs and similar use cases.
+
+When multiple guests have access to the same shared directory, the guests have
+a trust relationship.  A broken or malicious guest could delete or corrupt
+files.  It could exploit symlink or time-of-check-to-time-of-use (TOCTOU) race
+conditions against applications in other guests.  It could plant device nodes
+or setuid executables to gain privileges in other guests.  It could perform
+denial-of-service (DoS) attacks by consuming available space or making the file
+system unavailable to other guests.
+
+Guests are restricted to the shared directory and cannot access other files on
+the host.
+
+Guests should not be able to gain arbitrary code execution inside the virtiofsd
+process.  If they do, the process is sandboxed to prevent escaping into other
+parts of the host.
+
+Daemon Sandboxing
+=================
+The virtiofsd process handles virtio-fs FUSE requests from the untrusted guest.
+This attack surface could give the guest access to host resources and must
+therefore be protected.  Sandboxing mechanisms are integrated into virtiofsd to
+reduce the impact in the event that an attacker gains control of the process.
+
+As a general rule, virtiofsd does not trust inputs from the guest, aside from
+uid/gid values.  Input validation is performed so that the guest cannot corrupt
+memory or otherwise gain arbitrary code execution in the virtiofsd process.
+
+Sandboxing adds restrictions on the virtiofsd so that even if an attacker is
+able to exploit a bug, they will be constrained to the virtiofsd process and
+unable to cause damage on the host.
+
+Seccomp Whitelist
+-----------------
+Many system calls are not required by virtiofsd to perform its function.  For
+example, ptrace(2) and execve(2) are not necessary and attackers are likely to
+use them to further compromise the system.  This is prevented using a seccomp
+whitelist in virtiofsd.
+
+During startup virtiofsd installs a whitelist of allowed system calls.  All
+other system calls are forbidden for the remaining lifetime of the process.
+This list has been built through experience of running virtiofsd on several
+flavors of Linux and observing which system calls were encountered.
+
+It is possible that previously unexplored code paths or newer library versions
+will invoke system calls that have not been whitelisted yet.  In this case the
+process terminates and a seccomp error is captured in the audit log.  The log
+can typically be viewed using ``journalctl -xe`` and searching for ``SECCOMP``.
+
+Should it be necessary to extend the whitelist, system call numbers from the
+audit log can be translated to names through a CPU architecture-specific
+``.tbl`` file in the Linux source tree.  They can then be added to the
+whitelist in ``seccomp.c`` in the virtiofsd source tree.
+
+Mount Namespace
+---------------
+During startup virtiofsd enters a new mount namespace and releases all mounts
+except for the shared directory.  This makes the file system root `/` the
+shared directory.  It is impossible to access files outside the shared
+directory since they cannot be looked up by path resolution.
+
+Several attacks, including `..` traversal and symlink escapes, are prevented by
+the mount namespace.
+
+The current virtiofsd implementation keeps a directory file descriptor to
+/proc/self/fd open in order to implement several FUSE requests.  This file
+descriptor could be used by attackers to access files outside the shared
+directory.  This limitation will be addressed in a future release of virtiofsd.
+
+Other Namespaces
+----------------
+Virtiofsd enters new pid and network namespaces during startup.  The pid
+namespace prevents the process from seeing other processes running on the host.
+The network namespace removes network connectivity from the process.
+
+Deployment Best Practices
+=========================
+The shared directory should be a separate file system so that untrusted guests
+cannot cause a denial-of-service by using up all available inodes or exhausting
+free space.
+
+If the shared directory is also accessible from a host mount namespace, it is
+recommended to keep a parent directory with rwx------ permissions so that other
+users on the host are unable to access any setuid executables or device nodes
+in the shared directory.  The `nosuid` and `nodev` mount options can also be
+used to prevent this issue.

[056/104] virtiofsd: add security guide document

Commit Message

Comments

Patch