On Fri, Aug 11, 2017 at 09:23:17AM +0000, Jorgen S. Hansen wrote:
> > On Aug 3, 2017, at 12:41 PM, Stefan Hajnoczi <stefa...@redhat.com> wrote:
> > 
> > Hi Jorgen,
> > There are 3 sockopts defined in include/uapi/linux/vm_sockets.h that are
> > currently not implemented in net/vmw_vsock/af_vsock.c:
> > 
> > * SO_VM_SOCKETS_PEER_HOST_VM_ID
> > * SO_VM_SOCKETS_TRUSTED
> > * SO_VM_SOCKETS_NONBLOCK_TXRX
> > 
> > I noticed this because SO_VM_SOCKETS_TRUSTED is interesting for
> > virtio-vsock.  Services listening on AF_VSOCK inside the guest may not
> > want arbitrary unprivileged host processes to connect.  Instead of
> > inventing a new solution I wanted to look into SO_VM_SOCKETS_TRUSTED but
> > found it is not implemented in linux.git.
> > 
> > What is the status of these sockets?
> 
> These options were only implemented for ESX host endpoints, so were never 
> part of the Linux host side support. It looks like they could have been 
> omitted from vm_sockets.h, when the initial upstreaming was performed.
> 
> On ESX, the equivalent of SO_VM_SOCKETS_TRUSTED, is used for retrieving the 
> value of s->trusted of a VMCI socket. It cannot be used to mark a socket as 
> trusted. On Linux, trusted is tied to the CAP_NET_ADMIN capability of the 
> socket creator. VMCI based vSockets will per default only allow host side 
> sockets that are trusted, or are created by the same user as the VM, to 
> communicate with a given VM. This is achieved by per default creating VMs 
> with the VMCI privilege flag VMCI_PRIVILEGE_FLAG_RESTRICTED. It is possible 
> to create a VM that isn’t restricted, in which case any host process will be 
> able to communicate with the VM.
> 
> So it should be straight forward to implement the getsockopt part of 
> SO_VM_SOCKETS_TRUSTED, since it just needs to return s->trusted.

Currently virtio-vsock does not implement the 'restricted' mode but I'm
evaluating using it by default for stronger security.  Thanks for your
response!

Stefan

Attachment: signature.asc
Description: PGP signature

Reply via email to