From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

Hi,
  This is the 2nd set for the virtiofsd - this set sits
on top of the 'base' set recently posted.  Most of the changes
in the set are security related (with a couple more tagging
along because they were hard to separate).

  Stefan's main chunks make the daemon check the input from
the guest;  the upstream fuse code is much more trusting
about what it gets from the kernel; here the security
equation is inverted and the daemon is more trusted.
  In adition the daemon now gets sandboxing/namespacing/seccomp
limited to stop anything escaping.

  With this set virtiofsd is reasonably safe to use; we've
got some bug fixes (including some threading fixes) to send
as well though.

Dave

Dr. David Alan Gilbert (2):
  virtiofsd: Plumb fuse_bufvec through to do_write_buf
  virtiofsd: Pass write iov's all the way through

Eryu Guan (1):
  virtiofsd: print log only when priority is high enough

Miklos Szeredi (1):
  virtiofsd: passthrough_ll: add fallback for racy ops

Stefan Hajnoczi (18):
  virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
  virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers
  virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers
  virtiofsd: passthrough_ll: add fd_map to hide file descriptors
  virtiofsd: validate path components
  virtiofsd: add fuse_mbuf_iter API
  virtiofsd: validate input buffer sizes in do_write_buf()
  virtiofsd: check input buffer size in fuse_lowlevel.c ops
  virtiofsd: prevent ".." escape in lo_do_lookup()
  virtiofsd: prevent ".." escape in lo_do_readdir()
  virtiofsd: use /proc/self/fd/ O_PATH file descriptor
  virtiofsd: sandbox mount namespace
  virtiofsd: move to an empty network namespace
  virtiofsd: move to a new pid namespace
  virtiofsd: add seccomp whitelist
  virtiofsd: set maximum RLIMIT_NOFILE limit
  virtiofsd: add security guide document
  virtiofsd: add --syslog command-line option

Vivek Goyal (3):
  virtiofsd: passthrough_ll: create new files in caller's context
  virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV
  virtiofsd: Drop CAP_FSETID if client asked for it

 contrib/virtiofsd/Makefile.objs    |    7 +-
 contrib/virtiofsd/buffer.c         |   28 +
 contrib/virtiofsd/fuse_common.h    |   53 +-
 contrib/virtiofsd/fuse_i.h         |    2 +-
 contrib/virtiofsd/fuse_log.c       |    4 +
 contrib/virtiofsd/fuse_lowlevel.c  |  779 +++++++++++-----
 contrib/virtiofsd/fuse_lowlevel.h  |    2 +
 contrib/virtiofsd/fuse_virtio.c    |   72 +-
 contrib/virtiofsd/helper.c         |   11 +-
 contrib/virtiofsd/passthrough_ll.c | 1317 ++++++++++++++++++++++++----
 contrib/virtiofsd/seccomp.c        |  146 +++
 contrib/virtiofsd/seccomp.h        |   16 +
 contrib/virtiofsd/security.rst     |  108 +++
 13 files changed, 2152 insertions(+), 393 deletions(-)
 create mode 100644 contrib/virtiofsd/seccomp.c
 create mode 100644 contrib/virtiofsd/seccomp.h
 create mode 100644 contrib/virtiofsd/security.rst

-- 
2.23.0