[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
From: |
Miklos Szeredi |
Subject: |
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) |
Date: |
Mon, 25 Jan 2021 17:12:23 +0100 |
On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> This patch adds the missing checks to virtiofsd. This is a short-term
> solution because it does not prevent a compromised virtiofsd process
> from opening device nodes on the host.
I think the proper solution is adding support to the host in order to
restrict opens on filesystems that virtiofsd has access to.
My idea was to add a "force_nodev" mount option that cannot be
disabled and will make propagated mounts also be marked
"force_nodev,nodev".
A possibly simpler solution is to extend seccomp to restrict the
process itself from being able to open special files. Not sure if
that's within the scope of seccomp though.
Thanks,
Miklos
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), (continued)
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Daniel P . Berrangé, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Alex Xu, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Laszlo Ersek, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Dr. David Alan Gilbert, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Vivek Goyal, 2021/01/22
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517),
Miklos Szeredi <=