Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o

From:	Stefan Hajnoczi
Subject:	Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Date:	Thu, 23 Jul 2020 13:29:24 +0100

On Wed, Jul 22, 2020 at 02:17:10PM -0400, Vivek Goyal wrote:
> On Wed, Jul 22, 2020 at 02:02:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd cannot run in an unprivileged container because CAP_SYS_ADMIN
> > is required to create namespaces.
> > 
> > Introduce a weaker sandbox that is sufficient in container environments
> > because the container runtime already sets up namespaces. Use chroot to
> > restrict path traversal to the shared directory.
> > 
> > virtiofsd loses the following:
> > 
> > 1. Mount namespace. The process chroots to the shared directory but
> >    leaves the mounts in place. Seccomp rejects mount(2)/umount(2)
> >    syscalls.
> > 
> > 2. Pid namespace. This should be fine because virtiofsd is the only
> >    process running in the container.
> > 
> > 3. Network namespace. This should be fine because seccomp already
> >    rejects the connect(2) syscall, but an additional layer of security
> >    is lost. Container runtime-specific network security policies can be
> >    used drop network traffic (except for the vhost-user UNIX domain
> >    socket).
> > 
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
> > ---
> >  tools/virtiofsd/helper.c         |  3 +++
> >  tools/virtiofsd/passthrough_ll.c | 44 ++++++++++++++++++++++++++++++--
> >  2 files changed, 45 insertions(+), 2 deletions(-)
> > 
> > diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
> > index 3105b6c23a..7421c9ca1a 100644
> > --- a/tools/virtiofsd/helper.c
> > +++ b/tools/virtiofsd/helper.c
> > @@ -151,6 +151,9 @@ void fuse_cmdline_help(void)
> >             "    -o cache=<mode>            cache mode. could be one of 
> > \"auto, "
> >             "always, none\"\n"
> >             "                               default: auto\n"
> > +           "    -o chroot|no_chroot        use container-friendly chroot 
> > instead\n"
> > +           "                               of stronger mount namespace 
> > sandbox\n"
> > +           "                               default: false\n"
> 
> This option name disabling namespace setup is little confusing to me.
> 
> Will it make sense to provide another option to disable/enable
> namespaces. "-o no-namespaces" and that disables setting up
> namespaces.

Thanks, I'll propose a new syntax.

Stefan

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH for-5.1 1/3] virtiofsd: drop CAP_DAC_READ_SEARCH, (continued)
- [PATCH for-5.1 1/3] virtiofsd: drop CAP_DAC_READ_SEARCH, Stefan Hajnoczi, 2020/07/22
  - Re: [PATCH for-5.1 1/3] virtiofsd: drop CAP_DAC_READ_SEARCH, Dr. David Alan Gilbert, 2020/07/22
- [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/22
  - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Daniel P . Berrangé, 2020/07/22
    - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/23
  - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Dr. David Alan Gilbert, 2020/07/22
    - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Vivek Goyal, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/23
  - Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Vivek Goyal, 2020/07/22
    - Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi <=
  - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Dr. David Alan Gilbert, 2020/07/22
    - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/23
    - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Dr. David Alan Gilbert, 2020/07/23
    - Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option, Stefan Hajnoczi, 2020/07/24
- [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/22
  - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Daniel P . Berrangé, 2020/07/22
    - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/23
    - Re: [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Daniel P . Berrangé, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Vivek Goyal, 2020/07/23
    - Re: [Virtio-fs] [PATCH for-5.1 3/3] virtiofsd: probe unshare(CLONE_FS) and print an error, Stefan Hajnoczi, 2020/07/23

Prev by Date: Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Next by Date: Re: [PATCH 05/13] block/ssh: auto-ify URI parsing variables
Previous by thread: Re: [Virtio-fs] [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Next by thread: Re: [PATCH for-5.1 2/3] virtiofsd: add container-friendly -o chroot sandboxing option
Index(es):
- Date
- Thread