[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 4/5] virtiofsd: Open lo->source while setting up root in s
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [PATCH v2 4/5] virtiofsd: Open lo->source while setting up root in sandbox=NONE mode |
|
Date: |
Mon, 3 Aug 2020 10:54:59 +0100 |
On Thu, Jul 30, 2020 at 03:47:35PM -0400, Vivek Goyal wrote:
> In sandbox=NONE mode, lo->source points to the directory which is being
> exported. We have not done any chroot()/pivot_root(). So open lo->source.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
> tools/virtiofsd/passthrough_ll.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/tools/virtiofsd/passthrough_ll.c
> b/tools/virtiofsd/passthrough_ll.c
> index 76ef891105..a6fa816b6c 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -3209,7 +3209,10 @@ static void setup_root(struct lo_data *lo, struct
> lo_inode *root)
> int fd, res;
> struct stat stat;
>
> - fd = open("/", O_PATH);
> + if (lo->sandbox == SANDBOX_NONE)
> + fd = open(lo->source, O_PATH);
> + else
> + fd = open("/", O_PATH);
Up until now virtiofsd has been able to assume that path traversal has
the shared directory as "/".
Now this is no longer true and it is necessary to audit all syscalls
that take path arguments. They must ensure that:
1. Path components are safe (no ".." or "/" allowed)
2. Symlinks are not followed.
Did you audit all syscalls made by passthrough_ll.c?
virtiofsd still needs to restrict the client to the shared directory for
two reasons:
1. The guest may not be trusted. An unprivileged sandbox=none mount can
be used with a malicious guest.
2. If accidental escapes are possible then the guest could accidentally
corrupt or delete files outside the shared directory.
Stefan
signature.asc
Description: PGP signature
- Re: [PATCH v2 4/5] virtiofsd: Open lo->source while setting up root in sandbox=NONE mode,
Stefan Hajnoczi <=