tools/virtiofsd/fuse_lowlevel.h | 1 + tools/virtiofsd/helper.c | 47 ++++++++++++++++++ tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++------- 3 files changed, 133 insertions(+), 17 deletions(-)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) are available in the Git repository at: https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) ---------------------------------------------------------------- virtiofsd: Pull 2020-05-01 (includes CVE fix) This set includes a security fix, other fixes and improvements. Security fix: The security fix is for CVE-2020-10717 where, on low RAM hosts, the guest can potentially exceed the maximum fd limit. This fix adds some more configuration so that the user can explicitly set the limit. Thank you to Yuval Avrahami for reporting this. Fixes: Recursive mounting of the exported directory is now used in the sandbox, such that if there was a mount underneath present at the time the virtiofsd was started, that mount is also visible to the guest; in the existing code, only mounts that happened after startup were visible. Security improvements: The jailing for /proc/self/fd is improved - but it's something that shouldn't be accessible anyway. Most capabilities are now dropped at startup; again this shouldn't change any behaviour but is extra protection. ---------------------------------------------------------------- Max Reitz (1): virtiofsd: Show submounts Miklos Szeredi (1): virtiofsd: jail lo->proc_self_fd Stefan Hajnoczi (4): virtiofsd: add --rlimit-nofile=NUM option virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) virtiofsd: only retain file system capabilities virtiofsd: drop all capabilities in the wait parent process tools/virtiofsd/fuse_lowlevel.h | 1 + tools/virtiofsd/helper.c | 47 ++++++++++++++++++ tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++------- 3 files changed, 133 insertions(+), 17 deletions(-)
Dear Stable, From this series, the fixes: virtiofsd: add --rlimit-nofile=NUM option virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) and virtiofsd: Show submounts should probably be backported. Dave * Dr. David Alan Gilbert (git) (dgilbert@redhat.com) wrote: > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) > > are available in the Git repository at: > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) > > ---------------------------------------------------------------- > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > This set includes a security fix, other fixes and improvements. > > Security fix: > The security fix is for CVE-2020-10717 where, on low RAM hosts, > the guest can potentially exceed the maximum fd limit. > This fix adds some more configuration so that the user > can explicitly set the limit. > Thank you to Yuval Avrahami for reporting this. > > Fixes: > > Recursive mounting of the exported directory is now used in > the sandbox, such that if there was a mount underneath present at > the time the virtiofsd was started, that mount is also > visible to the guest; in the existing code, only mounts that > happened after startup were visible. > > Security improvements: > > The jailing for /proc/self/fd is improved - but it's something > that shouldn't be accessible anyway. > > Most capabilities are now dropped at startup; again this shouldn't > change any behaviour but is extra protection. > > ---------------------------------------------------------------- > Max Reitz (1): > virtiofsd: Show submounts > > Miklos Szeredi (1): > virtiofsd: jail lo->proc_self_fd > > Stefan Hajnoczi (4): > virtiofsd: add --rlimit-nofile=NUM option > virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) > virtiofsd: only retain file system capabilities > virtiofsd: drop all capabilities in the wait parent process > > tools/virtiofsd/fuse_lowlevel.h | 1 + > tools/virtiofsd/helper.c | 47 ++++++++++++++++++ > tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++------- > 3 files changed, 133 insertions(+), 17 deletions(-) > > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Fri, 1 May 2020 at 20:16, Dr. David Alan Gilbert (git) <dgilbert@redhat.com> wrote: > > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) > > are available in the Git repository at: > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) > > ---------------------------------------------------------------- > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > This set includes a security fix, other fixes and improvements. > > Security fix: > The security fix is for CVE-2020-10717 where, on low RAM hosts, > the guest can potentially exceed the maximum fd limit. > This fix adds some more configuration so that the user > can explicitly set the limit. > Thank you to Yuval Avrahami for reporting this. > > Fixes: > > Recursive mounting of the exported directory is now used in > the sandbox, such that if there was a mount underneath present at > the time the virtiofsd was started, that mount is also > visible to the guest; in the existing code, only mounts that > happened after startup were visible. > > Security improvements: > > The jailing for /proc/self/fd is improved - but it's something > that shouldn't be accessible anyway. > > Most capabilities are now dropped at startup; again this shouldn't > change any behaviour but is extra protection. > > ---------------------------------------------------------------- Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 for any user-visible changes. I notice you didn't include the usual Cc: qemu-stable@nongnu.org lines in the commits to be backported, but I think the stable branch maintainers can deal with the occasional manual notification. thanks -- PMM
* Peter Maydell (peter.maydell@linaro.org) wrote: > On Fri, 1 May 2020 at 20:16, Dr. David Alan Gilbert (git) > <dgilbert@redhat.com> wrote: > > > > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) > > > > are available in the Git repository at: > > > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) > > > > ---------------------------------------------------------------- > > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > > > This set includes a security fix, other fixes and improvements. > > > > Security fix: > > The security fix is for CVE-2020-10717 where, on low RAM hosts, > > the guest can potentially exceed the maximum fd limit. > > This fix adds some more configuration so that the user > > can explicitly set the limit. > > Thank you to Yuval Avrahami for reporting this. > > > > Fixes: > > > > Recursive mounting of the exported directory is now used in > > the sandbox, such that if there was a mount underneath present at > > the time the virtiofsd was started, that mount is also > > visible to the guest; in the existing code, only mounts that > > happened after startup were visible. > > > > Security improvements: > > > > The jailing for /proc/self/fd is improved - but it's something > > that shouldn't be accessible anyway. > > > > Most capabilities are now dropped at startup; again this shouldn't > > change any behaviour but is extra protection. > > > > ---------------------------------------------------------------- > > > Applied, thanks. > > Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 > for any user-visible changes. > > I notice you didn't include the usual Cc: qemu-stable@nongnu.org > lines in the commits to be backported, but I think the stable > branch maintainers can deal with the occasional manual notification. Thanks, yes I sent a mail to qemu-stable as a reply to the series saying which patches I thought should be for stable. Dave > thanks > -- PMM > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
© 2016 - 2024 Red Hat, Inc.