From nobody Sat May 18 16:46:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1571242016; cv=none; d=zoho.com; s=zohoarc; b=OYKu1WrD+iRnIeSt3AydLCEEh2/SVNhUXPj6dZR/ckUbnP0zBdmZRT7drRnMcnw1eBgRd2tv0WIGADrlx1RhvnFExAMi1tIjFKFgh5UjAQgmtLE8njvIzzJw+4WFwBRPzoQkz8R/s57b54MSXHg1TuiuWafXmEzr+J2CIbrT9vQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571242016; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Pnrwl1uSj0TUEPeQv+/7wR9lN0mmbXB0jG1Dd9q7qpo=; b=J4yk1Q+m4yYaSJ+fOJu97eIryCr/kjNaAmT4nCLU6ulA8Jh7/6RRUNkxpAVE3Xy56IlWJ1oFS2ws/ipeeKhLiRaTaNFCeVJ+kb9dh+GWa1umdDD7m3GsppGJ5KoFuOhceDOBsbph4FXqgKdBp5/M4IghGJF7aA4pNTilI96hxmQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1571242016413203.02147036903; Wed, 16 Oct 2019 09:06:56 -0700 (PDT) Received: from localhost ([::1]:45106 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKlp8-0007AB-LE for importer@patchew.org; Wed, 16 Oct 2019 12:06:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57507) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKlkm-0003wq-Nn for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKlkh-0008DE-HF for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:24 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44600) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iKlkh-0008Co-Ab for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:19 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7D5BB7FDF5 for ; Wed, 16 Oct 2019 16:02:18 +0000 (UTC) Received: from localhost (unknown [10.36.118.69]) by smtp.corp.redhat.com (Postfix) with ESMTP id 686C360C80; Wed, 16 Oct 2019 16:02:06 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH 1/2] virtiofsd: move to an empty network namespace Date: Wed, 16 Oct 2019 17:01:56 +0100 Message-Id: <20191016160157.12414-2-stefanha@redhat.com> In-Reply-To: <20191016160157.12414-1-stefanha@redhat.com> References: <20191016160157.12414-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 16 Oct 2019 16:02:18 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: virtio-fs@redhat.com, "Dr. David Alan Gilbert" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking. Signed-off-by: Stefan Hajnoczi Reviewed-by: Dr. David Alan Gilbert --- contrib/virtiofsd/passthrough_ll.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthr= ough_ll.c index 84b60d85bd..c27ff7d800 100644 --- a/contrib/virtiofsd/passthrough_ll.c +++ b/contrib/virtiofsd/passthrough_ll.c @@ -2736,6 +2736,19 @@ static void setup_shared_versions(struct lo_data *lo) lo->version_table =3D addr; } =20 +/* + * Called after our UNIX domain sockets have been created, now we can move= to + * an empty network namespace to prevent TCP/IP and other network activity= in + * case this process is compromised. + */ +static void setup_net_namespace(void) +{ + if (unshare(CLONE_NEWNET) !=3D 0) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n"); + exit(1); + } +} + /* This magic is based on lxc's lxc_pivot_root() */ static void setup_pivot_root(const char *source) { @@ -2818,6 +2831,7 @@ static void setup_mount_namespace(const char *source) */ static void setup_sandbox(struct lo_data *lo, bool enable_syslog) { + setup_net_namespace(); setup_mount_namespace(lo->source); setup_seccomp(enable_syslog); } --=20 2.21.0 From nobody Sat May 18 16:46:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1571242182; cv=none; d=zoho.com; s=zohoarc; b=Z/c0FgPH1e3r7U26EL3oYAiV9sAG6Aavo84CYa9LAm1eRpZ3mQApoW+X+qNiHIdNA9LDRiniHxp68K3BE2rilCTQFqBpN+vfbWpvnV8ra5TA73MpagImrWj/EjWSVNAL0PPe0Uxo7OL+scVCED38xmS98OCIHtn9EogfuKU+nIY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571242182; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2pbFfVT0UwKTvQ+AIeIL0pPxBI6wwsxwgjvdL2RKfNg=; b=hILmxDZF7sHoqq5dxuFZ1ISCFAoFGHeZ82SICmTCz57mrGeOs3T6X1pDmo8+FdCSM05rWEZNI6MpSLk7G27mVzw2ellSl83CKxrKRn7w1nBRVrtZH6poC1Jnjrgj1PUZLUwDJux5D44diQBr01wmMIckmJ23T8OjJk+TajEOWdw= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1571242182440217.34633244471092; Wed, 16 Oct 2019 09:09:42 -0700 (PDT) Received: from localhost ([::1]:45178 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKlro-0001aK-Tt for importer@patchew.org; Wed, 16 Oct 2019 12:09:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57532) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKlkp-0003xL-Oy for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKlko-0008Gx-9U for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37642) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iKlko-0008GW-1g for qemu-devel@nongnu.org; Wed, 16 Oct 2019 12:02:26 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4D1F63DE04 for ; Wed, 16 Oct 2019 16:02:25 +0000 (UTC) Received: from localhost (unknown [10.36.118.69]) by smtp.corp.redhat.com (Postfix) with ESMTP id E6E5E5C1D6; Wed, 16 Oct 2019 16:02:19 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Subject: [PATCH 2/2] virtiofsd: move to a new pid namespace Date: Wed, 16 Oct 2019 17:01:57 +0100 Message-Id: <20191016160157.12414-3-stefanha@redhat.com> In-Reply-To: <20191016160157.12414-1-stefanha@redhat.com> References: <20191016160157.12414-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 16 Oct 2019 16:02:25 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: virtio-fs@redhat.com, "Dr. David Alan Gilbert" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" virtiofsd needs access to /proc/self/fd. Let's move to a new pid namespace so that a compromised process cannot see another other processes running on the system. One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child* processes and not the current process. Therefore we need to fork the pid 1 process that will actually run virtiofsd and leave a parent in waitpid(2). This is not the same thing as daemonization and parent processes should not notice a difference. Signed-off-by: Stefan Hajnoczi Reviewed-by: Dr. David Alan Gilbert --- contrib/virtiofsd/passthrough_ll.c | 95 ++++++++++++++++++++++-------- 1 file changed, 72 insertions(+), 23 deletions(-) diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthr= ough_ll.c index c27ff7d800..b6ee9b2e90 100644 --- a/contrib/virtiofsd/passthrough_ll.c +++ b/contrib/virtiofsd/passthrough_ll.c @@ -56,9 +56,12 @@ #include #include #include +#include #include +#include #include =20 + #include "ireg.h" #include #include @@ -2749,6 +2752,72 @@ static void setup_net_namespace(void) } } =20 +/* + * Move to a new pid namespace to prevent access to other processes if this + * process is compromised. + */ +static void setup_pid_namespace(void) +{ + pid_t child; + + /* + * Create a new pid namespace for *child* processes. We'll have to + * fork in order to enter the new pid namespace. A new mount namespace + * is also needed so that we can remount /proc for the new pid + * namespace. + */ + if (unshare(CLONE_NEWPID | CLONE_NEWNS) !=3D 0) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWPID | CLONE_NEWNS): %m\n"); + exit(1); + } + + child =3D fork(); + if (child < 0) { + fuse_log(FUSE_LOG_ERR, "fork() failed: %m\n"); + exit(1); + } + if (child > 0) { + pid_t waited; + int wstatus; + + /* The parent waits for the child */ + do { + waited =3D waitpid(child, &wstatus, 0); + } while (waited < 0 && errno =3D=3D EINTR); + + if (WIFEXITED(wstatus)) { + exit(WEXITSTATUS(wstatus)); + } + + exit(1); + } + + /* + * If the mounts have shared propagation then we want to opt out so our + * mount changes don't affect the parent mount namespace. + */ + if (mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) < 0) { + fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_SLAVE): %m\n"); + exit(1); + } + + /* The child must remount /proc to use the new pid namespace */ + if (mount("proc", "/proc", "proc", + MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME, NULL) < 0) { + fuse_log(FUSE_LOG_ERR, "mount(/proc): %m\n"); + exit(1); + } +} + +static void setup_proc_self_fd(struct lo_data *lo) +{ + lo->proc_self_fd =3D open("/proc/self/fd", O_PATH); + if (lo->proc_self_fd =3D=3D -1) { + fuse_log(FUSE_LOG_ERR, "open(/proc/self/fd, O_PATH): %m\n"); + exit(1); + } +} + /* This magic is based on lxc's lxc_pivot_root() */ static void setup_pivot_root(const char *source) { @@ -2803,20 +2872,10 @@ static void setup_pivot_root(const char *source) =20 /* * Make the source directory our root so symlinks cannot escape and no oth= er - * files are accessible. + * files are accessible. Assumes unshare(CLONE_NEWNS) was already called. */ static void setup_mount_namespace(const char *source) { - if (unshare(CLONE_NEWNS) !=3D 0) { - fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNS): %m\n"); - exit(1); - } - - if (mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) < 0) { - fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_PRIVATE): %m\n"); - exit(1); - } - if (mount(source, source, NULL, MS_BIND, NULL) < 0) { fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, source); exit(1); @@ -2831,6 +2890,8 @@ static void setup_mount_namespace(const char *source) */ static void setup_sandbox(struct lo_data *lo, bool enable_syslog) { + setup_pid_namespace(); + setup_proc_self_fd(lo); setup_net_namespace(); setup_mount_namespace(lo->source); setup_seccomp(enable_syslog); @@ -2860,15 +2921,6 @@ static void setup_root(struct lo_data *lo, struct lo= _inode *root) g_atomic_int_set(&root->refcount, 2); } =20 -static void setup_proc_self_fd(struct lo_data *lo) -{ - lo->proc_self_fd =3D open("/proc/self/fd", O_PATH); - if (lo->proc_self_fd =3D=3D -1) { - fuse_log(FUSE_LOG_ERR, "open(/proc/self/fd, O_PATH): %m\n"); - exit(1); - } -} - /* Raise the maximum number of open file descriptors to the system limit */ static void setup_nofile_rlimit(void) { @@ -3110,9 +3162,6 @@ int main(int argc, char *argv[]) get_shared(&lo, &lo.root); } =20 - /* Must be after daemonize to get the right /proc/self/fd */ - setup_proc_self_fd(&lo); - setup_sandbox(&lo, opts.syslog); =20 setup_root(&lo, &lo.root); --=20 2.21.0