[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
From: |
Stefan Hajnoczi |
Subject: |
Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) |
Date: |
Tue, 26 Jan 2021 10:18:39 +0000 |
On Mon, Jan 25, 2021 at 05:12:23PM +0100, Miklos Szeredi wrote:
> On Thu, Jan 21, 2021 at 3:44 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
> > This patch adds the missing checks to virtiofsd. This is a short-term
> > solution because it does not prevent a compromised virtiofsd process
> > from opening device nodes on the host.
>
> I think the proper solution is adding support to the host in order to
> restrict opens on filesystems that virtiofsd has access to.
>
> My idea was to add a "force_nodev" mount option that cannot be
> disabled and will make propagated mounts also be marked
> "force_nodev,nodev".
Interesting idea! Mount options that are relevant:
* noexec
* nosuid
* nodev
* nosymfollow
Do you have time to work on the force_* mount options?
> A possibly simpler solution is to extend seccomp to restrict the
> process itself from being able to open special files. Not sure if
> that's within the scope of seccomp though.
I don't think seccomp can provide that restriction since it's unrelated
to the syscall or its arguments.
Stefan
signature.asc
Description: PGP signature
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), (continued)
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Alex Xu, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Laszlo Ersek, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Dr. David Alan Gilbert, 2021/01/21
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Vivek Goyal, 2021/01/22
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517), Miklos Szeredi, 2021/01/25
- Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517),
Stefan Hajnoczi <=