Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753463AbbGAJGd (ORCPT <rfc822;w@1wt.eu>);
	Wed, 1 Jul 2015 05:06:33 -0400
Received: from mx1.redhat.com ([209.132.183.28]:36460 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752837AbbGAJGY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 1 Jul 2015 05:06:24 -0400
Date: Wed, 1 Jul 2015 10:06:19 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
To: Jeremy White <jwhite@codeweavers.com>
Cc: hdegoede@redhat.com, spice-devel@lists.freedesktop.org,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [Spice-devel] [RFC PATCH 1/1] Add a usbredir kernel module to
 remotely connect USB devices over IP.
Message-ID: <20150701090619.GB16822@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
References: <1435700650-640-1-git-send-email-jwhite@codeweavers.com>
 <1435700650-640-2-git-send-email-jwhite@codeweavers.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1435700650-640-2-git-send-email-jwhite@codeweavers.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3590
Lines: 86

On Tue, Jun 30, 2015 at 04:44:10PM -0500, Jeremy White wrote:
> This module uses the usbredir protocol and user space tools,
> which are used by the SPICE project.
> 
> Signed-off-by: Jeremy White <jwhite@codeweavers.com>

[snip]

> diff --git a/drivers/usb/usbredir/Kconfig b/drivers/usb/usbredir/Kconfig
> new file mode 100644
> index 0000000..284fd02
> --- /dev/null
> +++ b/drivers/usb/usbredir/Kconfig
> @@ -0,0 +1,25 @@
> +config USBREDIR
> +	tristate "USBREDIR support"
> +	depends on USB && NET
> +	---help---
> +	  This enables connecting a remote USB device over IP using
> +          the USBREDIR protocol.  This module provides a sysfs attach
> +          interface which, if given a socket connected to a remote
> +          usbredirserver, will enable the remote device to behave as
> +          though it were connected to the system running this module.
> +
> +          For more information and user space tools, refer to the
> +          USBREDIR project, which can be found at
> +          http://www.spice-space.org/page/UsbRedir.

[snip]

> new file mode 100644
> index 0000000..217a2e4
> --- /dev/null
> +++ b/drivers/usb/usbredir/README
> @@ -0,0 +1,20 @@
> +USB Redirection Kernel Module
> +
> +This module allows a Linux system to instatiate USB devices
> +that are located on a remote device.  The USB data is transferred
> +over a socket using the USBREDIR protocol, which is generally
> +used in conjunction with the SPICE project.
> +
> +You will need the USBREDIR user space tools.  They can
> +be found at http://www.spice-space.org/page/UsbRedir.
> +
> +To use, start the usbredirserver on a remote system.
> +For example,
> + ./usbredirserver --port 4000 125f:db8a
> +will export my ADATA thumb drive on the remote system.
> +
> +Next, on the local system, connect a socket and relay that to
> +the kernel module.  The connectkernel utility will do this as follows:
> +  ./connectkernel adata4000 my.remote.device.com 4000
> +
> +The device should attach and be usable on the local system.

What is the security story here ? If I am understanding correctly, you have
a userspace helper which opens a socket, and does a connect() to establish
the connection to the remote system, and then tells the kernel to use the
file descriptor associated with the socket.

Assuming that's correct, then this seems to imply that the socket has raw
plain text data being sent/received, and thus precludes the possibility
of running any security protocol like TLS unless the kernel wants to have
an impl of the TLS protocol.

I don't really think it is sensible to be defining & implementing new
network services which can't support strong encryption and authentication.
Rather than passing the file descriptor to the kernel and having it do
the I/O directly, I think it would be better to dissassociate the kernel
from the network transport, and thus leave all sockets layer data I/O
to userspace daemons so they can layer in TLS or SASL or whatever else
is appropriate for the security need.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/