[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
|
From: |
Vivek Goyal |
|
Subject: |
Re: [PATCH 0/2] virtiofsd: drop Linux capabilities(7) |
|
Date: |
Thu, 16 Apr 2020 16:10:22 -0400 |
On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> whitelisted set of capabilities that we require. This improves security in
> case virtiofsd is compromised by making it hard for an attacker to gain
> further
> access to the system.
Hi Stefan,
Good to see this patch. We needed to limit capabilities to reduce attack
surface.
What tests have you run to make sure this current set of whitelisted
capabilities is good enough.
Vivek
>
> Stefan Hajnoczi (2):
> virtiofsd: only retain file system capabilities
> virtiofsd: drop all capabilities in the wait parent process
>
> tools/virtiofsd/passthrough_ll.c | 51 ++++++++++++++++++++++++++++++++
> 1 file changed, 51 insertions(+)
>
> --
> 2.25.1
>