[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
From: |
Stefan Hajnoczi |
Subject: |
Re: [PATCH 0/2] virtiofsd: drop Linux capabilities(7) |
Date: |
Fri, 17 Apr 2020 10:42:26 +0100 |
On Thu, Apr 16, 2020 at 04:10:22PM -0400, Vivek Goyal wrote:
> On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd doesn't need of all Linux capabilities(7) available to root.
> > Keep a
> > whitelisted set of capabilities that we require. This improves security in
> > case virtiofsd is compromised by making it hard for an attacker to gain
> > further
> > access to the system.
>
> Hi Stefan,
>
> Good to see this patch. We needed to limit capabilities to reduce attack
> surface.
>
> What tests have you run to make sure this current set of whitelisted
> capabilities is good enough.
Booting and light usage of Fedora 29 and running blogbench.
I would appreciate it if others could try it out with their
tests/workloads.
Stefan
signature.asc
Description: PGP signature