Re: passing FDs across domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Apr 17, 2019 at 7:12 PM Tomasz Figa <tfiga@xxxxxxxxxxxx> wrote:
>
> On Wed, Apr 17, 2019 at 6:31 PM Gerd Hoffmann <kraxel@xxxxxxxxxx> wrote:
> >
> > > > > Mojo IPC. Mojo is just yet another IPC designed to work over a Unix
> > > > > socket, relying on file descriptor passing (SCM_RIGHTS) for passing
> > > > > various platform handles (e.g. DMA-bufs). The clients exchange
> > > > > DMA-bufs with the service.
> > > >
> > > > Only dma-bufs?
> > > >
> > >
> > > Mojo is just a framework that can serialize things and pass various
> > > objects around. What is being passed depends on the particular
> > > interface.
> > >
> > > For the camera use case that would be DMA-bufs and fences.
> >
> > Hmm, fences.  That'll be tricky too.
> >
> > > We also have some more general use cases where we actually pass files,
> > > sockets and other objects there. They can be easily handled with a
> > > userspace proxy, though. Not very efficiently, but that's not a
> > > requirement for our use cases.
> >
> > Ok.  So you'll have a userspace proxy anyway?
> >
> > That pretty much removes the requirement to handle dma-bufs in
> > virtio-vsock (even though that still might be the best option),
> > the proxy could also use virtio-gpu or something else.
> >
>
> We have a proxy for some other IPC interfaces, like sharing guest
> files with the host. It doesn't handle DMA-bufs or fences, but those
> could be added. Given that, no, technically we don't need that in
> virtio-vsock. It would cost us a bit of latency, but it should work
> okay.

Actually there is one issue with the user space proxy model.

Malicious userspace could still open vsock directly and start guessing
resource handles to get access to buffers. While this could be
prevented by making vsock accessible only for the proxy process, it
would render any other legit use cases for vsock impossible without
making the processes implementing those privileged as well.

Of course that would not be a security issue for the host, since the
malicious process could only get access to the buffers accessible to
the guest as a whole. Still, it would significantly affect the
security level within the guest.

Best regards,
Tomasz



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux