From patchwork Wed Feb 26 11:30:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Bonzini X-Patchwork-Id: 183911 Delivered-To: patch@linaro.org Received: by 2002:ac9:7758:0:0:0:0:0 with SMTP id d24csp2968773ocu; Wed, 26 Feb 2020 03:39:37 -0800 (PST) X-Google-Smtp-Source: APXvYqy2xpEmp/osOHTZe3qbKTv9xj2L421yeEx6EY2YA/La78HgWzwS49tHw0Kcdj/RMbArMSw3 X-Received: by 2002:a37:dcc1:: with SMTP id v184mr4712844qki.487.1582717177561; Wed, 26 Feb 2020 03:39:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582717177; cv=none; d=google.com; s=arc-20160816; b=ntbyj7LJPJfnmKC5zwRQLshgk4btY4Zb8KiXedFVQCZrRiHTvKUsr9kmbt8URqTHOg 48mEXcHWI1f/vRgti41E/AHLAIocourTwrjIFqqNAQiVJqzpoeT6k2KMZcQ3o/NTapsm hC+4T4Ky8agj/rRjONzdz9sbRWEnTvBlbhEmRaAdnRWDRNwvNSxEghy1+o9g5LPLPk60 zeKN/XQoI2BLhtCcfeki6Jp/rb5OgbWJXTjUVZNAVcE0xZk8QjthWVRs6BPsuN0SLrCk JhkpE4/qq/CWsmlc7b/BvhwRp2b5oFME+ksKKlDcK8NrtxEawKcjPPdkOg+EAL669Sxs Ll8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=jQCthPnR6y1TZUUgQIYVSn60kzDk9kwVXC4q84W9SeE=; b=rZfVNdtiD+uloEQlgJBxYwxGNcEMstzV+AUm+fKWARRAaBHvrinecZrjNVJVqWHzVi DgFTfPV2WDaNGVcxHY3oyNtA909JkPizIJyg8zvjC5Fdp2W/N1QW6uGCwLp8w3fZdI+b 0F3CAiCM65Bmfwe4EaGwSsz2wkzKetWZJIBqKKFNiDkZHttOKi57gUCYjyNEJ4nkfauK Fvo5JnCauT7sVQ6Ij/V0Dh4oN7bRcfH1r5yJRMzXM4LXmCk1WVOjoY/PqiIhvBycTwQo yt/8+3f8LJaqOFsJbtiTOXH4lJ30yr5T0aMRvWZHUwC8mO75b8SgMq/GVBV6PjiuhdhT 8a1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MA9H0Evr; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id x2si772618qvo.91.2020.02.26.03.39.37 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 26 Feb 2020 03:39:37 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MA9H0Evr; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from localhost ([::1]:42834 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j6v2P-0004di-1t for patch@linaro.org; Wed, 26 Feb 2020 06:39:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52841) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j6utx-0000zM-VG for qemu-devel@nongnu.org; Wed, 26 Feb 2020 06:30:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j6utw-0006pc-0d for qemu-devel@nongnu.org; Wed, 26 Feb 2020 06:30:53 -0500 Received: from mail-wr1-x436.google.com ([2a00:1450:4864:20::436]:46474) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j6utv-0006l3-Nn for qemu-devel@nongnu.org; Wed, 26 Feb 2020 06:30:51 -0500 Received: by mail-wr1-x436.google.com with SMTP id j7so2493419wrp.13 for ; Wed, 26 Feb 2020 03:30:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jQCthPnR6y1TZUUgQIYVSn60kzDk9kwVXC4q84W9SeE=; b=MA9H0Evrqm8eXA6q2MF1l0SI8lKcIQ+XmsMFqU4mdcW3eqqMEjufRX+SjgA3rlNmrP FdJeR2J9ZutmG0nsXuAyTJJJ6pbK24hV2oYpSk0zToM7OSURNsjRP4EHQ8qgHFHnV9Mf pLT77cngrGAhR5ewcNP65H2YcLRFnkbbci+5L5fJxFmeqc06c1GyOspk1myvoMN/3g0q /+veChHgJAx4JY4yYTErJ3mIkh/AQaZp0rr1WLcVOq+elxirh6VUiLdSXUL0bP5rX1zI ZFXU0dGCtAVpiAmTKLiNvUildpzJZZyuI3rY2ezgcTvxTL9kHdA4kdPR0zMrwMc/zz6v OkOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=jQCthPnR6y1TZUUgQIYVSn60kzDk9kwVXC4q84W9SeE=; b=Ahp/0Davv6m7tceiRks/P4vyVtwiwPvx/QmmPS6Zv7iy3r0FZgAtStl30QDhd/jMRd ZZyHr9LTzE56hUXPnkbkQ0rYQqF0IDdhPaflN3hhKPzcWeOTtWOfLA+LICKdmH0anwO2 vI8KUiA3/UWGRvaI9MBZSPlGdIu2a/rZzaLhs8iNYlvNDVUzWZwBRhrZL7hgUTlYTqxM uECkQnM+llWQm3laAIaUeBP7co6CDoHj5U4e62WIx5fhedouJH3QsxWnNfRvk7rV+l7V S4fURNBB8hgJb/K/C7j+z3+iHDEq0XuiLOukLeZetV2gRFP1iBgscN8IuQy2FZmGVETb Jqhg== X-Gm-Message-State: APjAAAVVMMODHpiA2jjQxc122L6dLKuWgcJ3KSuKei0IOIphx19ur+G4 fGo+VAEPyG73KloRULfFTrLg10Lo X-Received: by 2002:a5d:66ca:: with SMTP id k10mr4916113wrw.194.1582716650217; Wed, 26 Feb 2020 03:30:50 -0800 (PST) Received: from donizetti.lan ([2001:b07:6468:f312:d0d9:ea10:9775:f33f]) by smtp.gmail.com with ESMTPSA id h128sm2628154wmh.33.2020.02.26.03.30.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Feb 2020 03:30:49 -0800 (PST) From: Paolo Bonzini To: qemu-devel@nongnu.org Subject: [PATCH 15/18] docs/system: Convert security.texi to rST format Date: Wed, 26 Feb 2020 12:30:31 +0100 Message-Id: <20200226113034.6741-16-pbonzini@redhat.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200226113034.6741-1-pbonzini@redhat.com> References: <20200226113034.6741-1-pbonzini@redhat.com> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::436 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: peter.maydell@linaro.org Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Peter Maydell security.texi is included from qemu-doc.texi but is not used in the qemu.1 manpage. So we can do a straightforward conversion of the contents, which go into the system manual. Signed-off-by: Peter Maydell Signed-off-by: Paolo Bonzini --- docs/system/index.rst | 1 + docs/system/security.rst | 173 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 174 insertions(+) create mode 100644 docs/system/security.rst -- 2.21.1 diff --git a/docs/system/index.rst b/docs/system/index.rst index 21b5a18b67..d38addb2a0 100644 --- a/docs/system/index.rst +++ b/docs/system/index.rst @@ -13,3 +13,4 @@ Contents: .. toctree:: :maxdepth: 2 + security diff --git a/docs/system/security.rst b/docs/system/security.rst new file mode 100644 index 0000000000..f2092c8768 --- /dev/null +++ b/docs/system/security.rst @@ -0,0 +1,173 @@ +Security +======== + +Overview +-------- + +This chapter explains the security requirements that QEMU is designed to meet +and principles for securely deploying QEMU. + +Security Requirements +--------------------- + +QEMU supports many different use cases, some of which have stricter security +requirements than others. The community has agreed on the overall security +requirements that users may depend on. These requirements define what is +considered supported from a security perspective. + +Virtualization Use Case +''''''''''''''''''''''' + +The virtualization use case covers cloud and virtual private server (VPS) +hosting, as well as traditional data center and desktop virtualization. These +use cases rely on hardware virtualization extensions to execute guest code +safely on the physical CPU at close-to-native speed. + +The following entities are untrusted, meaning that they may be buggy or +malicious: + +- Guest +- User-facing interfaces (e.g. VNC, SPICE, WebSocket) +- Network protocols (e.g. NBD, live migration) +- User-supplied files (e.g. disk images, kernels, device trees) +- Passthrough devices (e.g. PCI, USB) + +Bugs affecting these entities are evaluated on whether they can cause damage in +real-world use cases and treated as security bugs if this is the case. + +Non-virtualization Use Case +''''''''''''''''''''''''''' + +The non-virtualization use case covers emulation using the Tiny Code Generator +(TCG). In principle the TCG and device emulation code used in conjunction with +the non-virtualization use case should meet the same security requirements as +the virtualization use case. However, for historical reasons much of the +non-virtualization use case code was not written with these security +requirements in mind. + +Bugs affecting the non-virtualization use case are not considered security +bugs at this time. Users with non-virtualization use cases must not rely on +QEMU to provide guest isolation or any security guarantees. + +Architecture +------------ + +This section describes the design principles that ensure the security +requirements are met. + +Guest Isolation +''''''''''''''' + +Guest isolation is the confinement of guest code to the virtual machine. When +guest code gains control of execution on the host this is called escaping the +virtual machine. Isolation also includes resource limits such as throttling of +CPU, memory, disk, or network. Guests must be unable to exceed their resource +limits. + +QEMU presents an attack surface to the guest in the form of emulated devices. +The guest must not be able to gain control of QEMU. Bugs in emulated devices +could allow malicious guests to gain code execution in QEMU. At this point the +guest has escaped the virtual machine and is able to act in the context of the +QEMU process on the host. + +Guests often interact with other guests and share resources with them. A +malicious guest must not gain control of other guests or access their data. +Disk image files and network traffic must be protected from other guests unless +explicitly shared between them by the user. + +Principle of Least Privilege +'''''''''''''''''''''''''''' + +The principle of least privilege states that each component only has access to +the privileges necessary for its function. In the case of QEMU this means that +each process only has access to resources belonging to the guest. + +The QEMU process should not have access to any resources that are inaccessible +to the guest. This way the guest does not gain anything by escaping into the +QEMU process since it already has access to those same resources from within +the guest. + +Following the principle of least privilege immediately fulfills guest isolation +requirements. For example, guest A only has access to its own disk image file +``a.img`` and not guest B's disk image file ``b.img``. + +In reality certain resources are inaccessible to the guest but must be +available to QEMU to perform its function. For example, host system calls are +necessary for QEMU but are not exposed to guests. A guest that escapes into +the QEMU process can then begin invoking host system calls. + +New features must be designed to follow the principle of least privilege. +Should this not be possible for technical reasons, the security risk must be +clearly documented so users are aware of the trade-off of enabling the feature. + +Isolation mechanisms +'''''''''''''''''''' + +Several isolation mechanisms are available to realize this architecture of +guest isolation and the principle of least privilege. With the exception of +Linux seccomp, these mechanisms are all deployed by management tools that +launch QEMU, such as libvirt. They are also platform-specific so they are only +described briefly for Linux here. + +The fundamental isolation mechanism is that QEMU processes must run as +unprivileged users. Sometimes it seems more convenient to launch QEMU as +root to give it access to host devices (e.g. ``/dev/net/tun``) but this poses a +huge security risk. File descriptor passing can be used to give an otherwise +unprivileged QEMU process access to host devices without running QEMU as root. +It is also possible to launch QEMU as a non-root user and configure UNIX groups +for access to ``/dev/kvm``, ``/dev/net/tun``, and other device nodes. +Some Linux distros already ship with UNIX groups for these devices by default. + +- SELinux and AppArmor make it possible to confine processes beyond the + traditional UNIX process and file permissions model. They restrict the QEMU + process from accessing processes and files on the host system that are not + needed by QEMU. + +- Resource limits and cgroup controllers provide throughput and utilization + limits on key resources such as CPU time, memory, and I/O bandwidth. + +- Linux namespaces can be used to make process, file system, and other system + resources unavailable to QEMU. A namespaced QEMU process is restricted to only + those resources that were granted to it. + +- Linux seccomp is available via the QEMU ``--sandbox`` option. It disables + system calls that are not needed by QEMU, thereby reducing the host kernel + attack surface. + +Sensitive configurations +------------------------ + +There are aspects of QEMU that can have security implications which users & +management applications must be aware of. + +Monitor console (QMP and HMP) +''''''''''''''''''''''''''''' + +The monitor console (whether used with QMP or HMP) provides an interface +to dynamically control many aspects of QEMU's runtime operation. Many of the +commands exposed will instruct QEMU to access content on the host file system +and/or trigger spawning of external processes. + +For example, the ``migrate`` command allows for the spawning of arbitrary +processes for the purpose of tunnelling the migration data stream. The +``blockdev-add`` command instructs QEMU to open arbitrary files, exposing +their content to the guest as a virtual disk. + +Unless QEMU is otherwise confined using technologies such as SELinux, AppArmor, +or Linux namespaces, the monitor console should be considered to have privileges +equivalent to those of the user account QEMU is running under. + +It is further important to consider the security of the character device backend +over which the monitor console is exposed. It needs to have protection against +malicious third parties which might try to make unauthorized connections, or +perform man-in-the-middle attacks. Many of the character device backends do not +satisfy this requirement and so must not be used for the monitor console. + +The general recommendation is that the monitor console should be exposed over +a UNIX domain socket backend to the local host only. Use of the TCP based +character device backend is inappropriate unless configured to use both TLS +encryption and authorization control policy on client connections. + +In summary, the monitor console is considered a privileged control interface to +QEMU and as such should only be made accessible to a trusted management +application or user.