Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sand

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sand

From:	Dr. David Alan Gilbert
Subject:	Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Date:	Thu, 23 Jul 2020 18:55:38 +0100
User-agent:	Mutt/1.14.5 (2020-06-23)

* Stefan Hajnoczi (stefanha@redhat.com) wrote:
> On Wed, Jul 22, 2020 at 08:03:18PM +0100, Dr. David Alan Gilbert wrote:
> > * Stefan Hajnoczi (stefanha@redhat.com) wrote:
> > > +    /*
> > > +     * Make the shared directory the file system root so that FUSE_OPEN
> > > +     * (lo_open()) cannot escape the shared directory by opening a 
> > > symlink.
> > > +     *
> > > +     * It's still possible to escape the chroot via lo->proc_self_fd but 
> > > that
> > > +     * requires gaining control of the process first.
> > > +     */
> > > +    if (chroot(lo->source) != 0) {
> > > +        fuse_log(FUSE_LOG_ERR, "chroot(\"%s\"): %m\n", lo->source);
> > > +        exit(1);
> > > +    }
> > 
> > I'm seeing suggestions that you should drop CAP_SYS_CHROOT after
> > chroot'ing to stop an old escape (where you create another jail inside
> > the jail and the kernel then lets you walk outside of the old one).
> 
> That's already the case:
> 
> 1. setup_seccomp() blocks further chroot(2) calls.
> 2. setup_capabilities() drops CAP_SYS_CHROOT.

Ah yes; could you add a comment if you respin; it's not obvious that
the capability to chroot allows you to break out of an existing chroot
you're in.

Dave

> Stefan


--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, (continued)
- [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/22
  - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Daniel P . Berrangé, 2020/07/22
    - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/23
    - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Daniel P . Berrangé, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Vivek Goyal, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/23
- Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container, Vivek Goyal, 2020/07/22
  - Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container, Stefan Hajnoczi, 2020/07/23

Prev by Date: Re: [PATCH v2] vhost-vdpa :Fix Coverity CID 1430270 / CID 1420267
Next by Date: Re: [PATCH] block/amend: Check whether the node exists
Previous by thread: Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Next by thread: Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Index(es):
- Date
- Thread