[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container
From: |
Stefan Hajnoczi |
Subject: |
[PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container |
Date: |
Wed, 22 Jul 2020 14:02:03 +0100 |
Container runtimes handle namespace setup and remove privileges needed by
virtiofsd to perform sandboxing. Luckily the container environment already
provides most of the sandbox that virtiofsd needs for security.
Introduce a new "virtiofsd -o chroot" option that uses chroot(2) instead of
namespaces. This option allows virtiofsd to work inside a container.
Please see the individual patches for details on the changes and security
implications.
Given that people are starting to attempt running virtiofsd in containers I
think this should go into QEMU 5.1.
Stefan Hajnoczi (3):
virtiofsd: drop CAP_DAC_READ_SEARCH
virtiofsd: add container-friendly -o chroot sandboxing option
virtiofsd: probe unshare(CLONE_FS) and print an error
tools/virtiofsd/fuse_virtio.c | 13 +++++++++
tools/virtiofsd/helper.c | 3 +++
tools/virtiofsd/passthrough_ll.c | 45 +++++++++++++++++++++++++++++---
3 files changed, 58 insertions(+), 3 deletions(-)
--
2.26.2