On Mon, Jan 29, 2024 at 07:45:51PM +0000, Daniel P. Berrangé wrote: > On Mon, Jan 29, 2024 at 08:33:21PM +0100, Paolo Bonzini wrote: > > On Mon, Jan 29, 2024 at 7:53 PM Daniel P. Berrangé <berra...@redhat.com> > > wrote: > > > > diff --git a/meson.build b/meson.build > > > > index d0329966f1b4..93fc233b0891 100644 > > > > --- a/meson.build > > > > +++ b/meson.build > > > > @@ -4015,6 +4015,11 @@ if have_tools > > > > dependencies: [authz, crypto, io, qom, qemuutil, > > > > libcap_ng, mpathpersist], > > > > install: true) > > > > + > > > > + executable('qemu-vmsr-helper', > > > > files('tools/i386/qemu-vmsr-helper.c'), > > > > > > I'd suggest 'tools/x86/' since this works fine on 64-bit too > > > > QEMU tends to use i386 in the source to mean both 32- and 64-bit. > > One day we should rename that to x86 too :-) > > > > You never answered my question from the previous posting of this > > > > > > This check is merely validating the the thread ID in the message > > > is a child of the process ID connected to the socket. Any process > > > on the entire host can satisfy this requirement. > > > > > > I don't see what is limiting this to only QEMU as claimed by the > > > commit message, unless you're expecting the UNIX socket permissions > > > to be such that only processes under the qemu:qemu user:group pair > > > can access to the socket ? That would be a libvirt based permissions > > > assumption though. > > > > Yes, this is why the systemd socket uses 600, like > > contrib/systemd/qemu-pr-helper.socket. The socket can be passed via > > SCM_RIGHTS by libvirt, or its permissions can be changed (e.g. 660 and > > root:kvm would make sense on a Debian system), or a separate helper > > can be started by libvirt. > > > > Either way, the policy is left to the user rather than embedding it in > > the provided systemd unit. > > Ok, this code needs a comment to explain that we're relying on > socket permissions to control who/what can access the daemon, > combined with this PID+TID check to validate it is not spoofing > its identity, as without context the TID check looks pointless.
Looking again, the TID is never used after being checked. QEMU sends the TID, but the helper never does anything with this information except to check the TID belongs the PID. Why are we sending the TID ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|