[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
From: |
Miklos Szeredi |
Subject: |
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) |
Date: |
Tue, 26 Jan 2021 11:27:18 +0100 |
On Tue, Jan 26, 2021 at 11:18 AM Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
> On Mon, Jan 25, 2021 at 05:12:23PM +0100, Miklos Szeredi wrote:
> > On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> >
> > > This patch adds the missing checks to virtiofsd. This is a short-term
> > > solution because it does not prevent a compromised virtiofsd process
> > > from opening device nodes on the host.
> >
> > I think the proper solution is adding support to the host in order to
> > restrict opens on filesystems that virtiofsd has access to.
> >
> > My idea was to add a "force_nodev" mount option that cannot be
> > disabled and will make propagated mounts also be marked
> > "force_nodev,nodev".
>
> Interesting idea! Mount options that are relevant:
> * noexec
> * nosuid
> * nodev
> * nosymfollow
>
> Do you have time to work on the force_* mount options?
Not at the moment, but first we need to probe Al to see if this idea sticks...
> > A possibly simpler solution is to extend seccomp to restrict the
> > process itself from being able to open special files. Not sure if
> > that's within the scope of seccomp though.
>
> I don't think seccomp can provide that restriction since it's unrelated
> to the syscall or its arguments.
How about selinux, then?
Thanks,
Miklos
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), (continued)
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Alex Xu, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Laszlo Ersek, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Dr. David Alan Gilbert, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Vivek Goyal, 2021/01/22
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Miklos Szeredi, 2021/01/25