[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
From: |
Vivek Goyal |
Subject: |
Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7) |
Date: |
Thu, 18 Jun 2020 15:27:17 -0400 |
On Thu, Jun 18, 2020 at 08:16:55PM +0100, Dr. David Alan Gilbert wrote:
> * Vivek Goyal (vgoyal@redhat.com) wrote:
> > On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > > virtiofsd doesn't need of all Linux capabilities(7) available to root.
> > > Keep a
> > > whitelisted set of capabilities that we require. This improves security
> > > in
> > > case virtiofsd is compromised by making it hard for an attacker to gain
> > > further
> > > access to the system.
> >
> > Hi Stefan,
> >
> > I just noticed that this patch set breaks overlayfs on top of virtiofs.
> >
> > overlayfs sets "trusted.overlay.*" and xattrs in trusted domain
> > need CAP_SYS_ADMIN.
> >
> > man xattr says.
> >
> > Trusted extended attributes
> > Trusted extended attributes are visible and accessible only to
> > pro‐
> > cesses that have the CAP_SYS_ADMIN capability. Attributes in
> > this
> > class are used to implement mechanisms in user space (i.e., outside
> > the
> > kernel) which keep information in extended attributes to which
> > ordinary
> > processes should not have access.
> >
> > There is a chance that overlay moves away from trusted xattr in future.
> > But for now we need to make it work. This is an important use case for
> > kata docker in docker build.
> >
> > May be we can add an option to virtiofsd say "--add-cap <capability>" and
> > ask user to pass in "--add-cap cap_sys_admin" if they need to run daemon
> > with this capaibility.
>
> I'll admit I don't like the idea of giving it cap_sys_admin.
> Can you explain:
> a) What overlayfs uses trusted for?
overlayfs stores bunch of metadata and uses "trusted" xattrs for it.
> b) If something nasty was to write junk into the trusted attributes,
> what would happen?
This directory is owned by guest. So it should be able to write
anything it wants, as long as process in guest has CAP_SYS_ADMIN, right?
> c) I see overlayfs has a fallback check if xattr isn't supported at
> all - what is the consequence?
It falls back to I think read only mode.
For a moment forget about overlayfs. Say a user process in guest with
CAP_SYS_ADMIN is writing trusted.foo. Should that succeed? Is a
passthrough filesystem, so it should go through. But currently it
wont.
Thanks
Vivek
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Vivek Goyal, 2020/06/18
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Dr. David Alan Gilbert, 2020/06/18
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7),
Vivek Goyal <=
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Dr. David Alan Gilbert, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Daniel P . Berrangé, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Dr. David Alan Gilbert, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Daniel P . Berrangé, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Vivek Goyal, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Vivek Goyal, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Dr. David Alan Gilbert, 2020/06/26
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Vivek Goyal, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Dr. David Alan Gilbert, 2020/06/19
- Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7), Vivek Goyal, 2020/06/19