[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in
|
From: |
Vivek Goyal |
|
Subject: |
Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container |
|
Date: |
Wed, 22 Jul 2020 14:19:14 -0400 |
On Wed, Jul 22, 2020 at 02:02:03PM +0100, Stefan Hajnoczi wrote:
> Container runtimes handle namespace setup and remove privileges needed by
> virtiofsd to perform sandboxing. Luckily the container environment already
> provides most of the sandbox that virtiofsd needs for security.
>
> Introduce a new "virtiofsd -o chroot" option that uses chroot(2) instead of
> namespaces. This option allows virtiofsd to work inside a container.
>
> Please see the individual patches for details on the changes and security
> implications.
>
> Given that people are starting to attempt running virtiofsd in containers I
> think this should go into QEMU 5.1.
Hi Stefan,
I have written a document to help with testing virtiofs with any changes.
https://github.com/rhvgoyal/misc/blob/master/virtiofs-tests/virtio-fs-testing-requirement.txt
Will be good to run some of these tests to make sure there are no
regressions due to these changes.
Thanks
Vivek
>
> Stefan Hajnoczi (3):
> virtiofsd: drop CAP_DAC_READ_SEARCH
> virtiofsd: add container-friendly -o chroot sandboxing option
> virtiofsd: probe unshare(CLONE_FS) and print an error
>
> tools/virtiofsd/fuse_virtio.c | 13 +++++++++
> tools/virtiofsd/helper.c | 3 +++
> tools/virtiofsd/passthrough_ll.c | 45 +++++++++++++++++++++++++++++---
> 3 files changed, 58 insertions(+), 3 deletions(-)
>
> --
> 2.26.2
>
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
- Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, (continued)
Re: [Virtio-fs] [PATCH for-5.1 0/3] virtiofsd: allow virtiofsd to run in a container,
Vivek Goyal <=