[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sand
From: |
Stefan Hajnoczi |
Subject: |
Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option |
Date: |
Thu, 23 Jul 2020 13:32:29 +0100 |
On Wed, Jul 22, 2020 at 08:03:18PM +0100, Dr. David Alan Gilbert wrote:
> * Stefan Hajnoczi (stefanha@redhat.com) wrote:
> > + /*
> > + * Make the shared directory the file system root so that FUSE_OPEN
> > + * (lo_open()) cannot escape the shared directory by opening a symlink.
> > + *
> > + * It's still possible to escape the chroot via lo->proc_self_fd but
> > that
> > + * requires gaining control of the process first.
> > + */
> > + if (chroot(lo->source) != 0) {
> > + fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source);
> > + exit(1);
> > + }
>
> I'm seeing suggestions that you should drop CAP_SYS_CHROOT after
> chroot'ing to stop an old escape (where you create another jail inside
> the jail and the kernel then lets you walk outside of the old one).
That's already the case:
1. setup_seccomp() blocks further chroot(2) calls.
2. setup_capabilities() drops CAP_SYS_CHROOT.
Stefan
signature.asc
Description: PGP signature
[PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/22
Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container, Vivek Goyal, 2020/07/22