[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at f
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation |
Date: |
Mon, 7 Feb 2022 13:05:16 +0000 |
User-agent: |
Mutt/2.1.5 (2021-12-30) |
On Wed, Feb 02, 2022 at 02:39:26PM -0500, Vivek Goyal wrote:
> Hi,
>
> This is V5 of the patches. I posted V4 here.
>
> https://listman.redhat.com/archives/virtio-fs/2022-January/msg00041.html
>
> These will allow us to support SELinux with virtiofs. This will send
> SELinux context at file creation to server and server can set it on
> file.
I've not entirely figured it out from the code, so easier for me
to ask...
How is the SELinux labelled stored on the host side ? It is stored
directly in the security.* xattr namespace, or is is subject to
xattr remapping that virtiofsd already supports.
Storing directly means virtiofsd has to run in an essentially
unconfined context, to let it do arbitrary changes on security.*
xattrs without being blocked by SELinux) and has risk that guest
initiated changes can open holes in the host confinement if
the exported FS is generally visible to processes on the host.
Using remapping lets virtiofsd be strictly isolated by SELinux
policy on the host, and ensures that guest context changes
can't open up holes in the host.
Both are valid use cases, so I'd ultimately expect us to want
to support both, but my preference for a "default" behaviour
would be remapping.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
- [PATCH v5 3/9] virtiofsd: Parse extended "struct fuse_init_in", (continued)
- [PATCH v5 3/9] virtiofsd: Parse extended "struct fuse_init_in", Vivek Goyal, 2022/02/02
- [PATCH v5 2/9] linux-headers: Update headers to v5.17-rc1, Vivek Goyal, 2022/02/02
- [PATCH v5 7/9] virtiofsd: Create new file with fscreate set, Vivek Goyal, 2022/02/02
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation, Dr. David Alan Gilbert, 2022/02/07
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation,
Daniel P . Berrangé <=
- Re: [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation, Vivek Goyal, 2022/02/07