[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)

From: Stefan Hajnoczi
Subject: Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Tue, 26 Jan 2021 10:18:39 +0000

On Mon, Jan 25, 2021 at 05:12:23PM +0100, Miklos Szeredi wrote:
> On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> > This patch adds the missing checks to virtiofsd. This is a short-term
> > solution because it does not prevent a compromised virtiofsd process
> > from opening device nodes on the host.
> I think the proper solution is adding support to the host in order to
> restrict opens on filesystems that virtiofsd has access to.
> My idea was to add a "force_nodev" mount option that cannot be
> disabled and will make propagated mounts  also be marked
> "force_nodev,nodev".

Interesting idea! Mount options that are relevant:
 * noexec
 * nosuid
 * nodev
 * nosymfollow

Do you have time to work on the force_* mount options?

> A possibly simpler solution is to extend seccomp to restrict the
> process itself from being able to open special files.  Not sure if
> that's within the scope of seccomp though.

I don't think seccomp can provide that restriction since it's unrelated
to the syscall or its arguments.


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]