tools/virtiofsd/fuse_lowlevel.h | 1 + tools/virtiofsd/helper.c | 47 ++++++++++++++++++ tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++------- 3 files changed, 133 insertions(+), 17 deletions(-)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7:
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100)
are available in the Git repository at:
https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501
for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae:
virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100)
----------------------------------------------------------------
virtiofsd: Pull 2020-05-01 (includes CVE fix)
This set includes a security fix, other fixes and improvements.
Security fix:
The security fix is for CVE-2020-10717 where, on low RAM hosts,
the guest can potentially exceed the maximum fd limit.
This fix adds some more configuration so that the user
can explicitly set the limit.
Thank you to Yuval Avrahami for reporting this.
Fixes:
Recursive mounting of the exported directory is now used in
the sandbox, such that if there was a mount underneath present at
the time the virtiofsd was started, that mount is also
visible to the guest; in the existing code, only mounts that
happened after startup were visible.
Security improvements:
The jailing for /proc/self/fd is improved - but it's something
that shouldn't be accessible anyway.
Most capabilities are now dropped at startup; again this shouldn't
change any behaviour but is extra protection.
----------------------------------------------------------------
Max Reitz (1):
virtiofsd: Show submounts
Miklos Szeredi (1):
virtiofsd: jail lo->proc_self_fd
Stefan Hajnoczi (4):
virtiofsd: add --rlimit-nofile=NUM option
virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
virtiofsd: only retain file system capabilities
virtiofsd: drop all capabilities in the wait parent process
tools/virtiofsd/fuse_lowlevel.h | 1 +
tools/virtiofsd/helper.c | 47 ++++++++++++++++++
tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++-------
3 files changed, 133 insertions(+), 17 deletions(-)
Dear Stable,
From this series, the fixes:
virtiofsd: add --rlimit-nofile=NUM option
virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
and
virtiofsd: Show submounts
should probably be backported.
Dave
* Dr. David Alan Gilbert (git) (dgilbert@redhat.com) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
>
> The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7:
>
> Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100)
>
> are available in the Git repository at:
>
> https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501
>
> for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae:
>
> virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100)
>
> ----------------------------------------------------------------
> virtiofsd: Pull 2020-05-01 (includes CVE fix)
>
> This set includes a security fix, other fixes and improvements.
>
> Security fix:
> The security fix is for CVE-2020-10717 where, on low RAM hosts,
> the guest can potentially exceed the maximum fd limit.
> This fix adds some more configuration so that the user
> can explicitly set the limit.
> Thank you to Yuval Avrahami for reporting this.
>
> Fixes:
>
> Recursive mounting of the exported directory is now used in
> the sandbox, such that if there was a mount underneath present at
> the time the virtiofsd was started, that mount is also
> visible to the guest; in the existing code, only mounts that
> happened after startup were visible.
>
> Security improvements:
>
> The jailing for /proc/self/fd is improved - but it's something
> that shouldn't be accessible anyway.
>
> Most capabilities are now dropped at startup; again this shouldn't
> change any behaviour but is extra protection.
>
> ----------------------------------------------------------------
> Max Reitz (1):
> virtiofsd: Show submounts
>
> Miklos Szeredi (1):
> virtiofsd: jail lo->proc_self_fd
>
> Stefan Hajnoczi (4):
> virtiofsd: add --rlimit-nofile=NUM option
> virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
> virtiofsd: only retain file system capabilities
> virtiofsd: drop all capabilities in the wait parent process
>
> tools/virtiofsd/fuse_lowlevel.h | 1 +
> tools/virtiofsd/helper.c | 47 ++++++++++++++++++
> tools/virtiofsd/passthrough_ll.c | 102 ++++++++++++++++++++++++++++++++-------
> 3 files changed, 133 insertions(+), 17 deletions(-)
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Fri, 1 May 2020 at 20:16, Dr. David Alan Gilbert (git) <dgilbert@redhat.com> wrote: > > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) > > are available in the Git repository at: > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) > > ---------------------------------------------------------------- > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > This set includes a security fix, other fixes and improvements. > > Security fix: > The security fix is for CVE-2020-10717 where, on low RAM hosts, > the guest can potentially exceed the maximum fd limit. > This fix adds some more configuration so that the user > can explicitly set the limit. > Thank you to Yuval Avrahami for reporting this. > > Fixes: > > Recursive mounting of the exported directory is now used in > the sandbox, such that if there was a mount underneath present at > the time the virtiofsd was started, that mount is also > visible to the guest; in the existing code, only mounts that > happened after startup were visible. > > Security improvements: > > The jailing for /proc/self/fd is improved - but it's something > that shouldn't be accessible anyway. > > Most capabilities are now dropped at startup; again this shouldn't > change any behaviour but is extra protection. > > ---------------------------------------------------------------- Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 for any user-visible changes. I notice you didn't include the usual Cc: qemu-stable@nongnu.org lines in the commits to be backported, but I think the stable branch maintainers can deal with the occasional manual notification. thanks -- PMM
* Peter Maydell (peter.maydell@linaro.org) wrote: > On Fri, 1 May 2020 at 20:16, Dr. David Alan Gilbert (git) > <dgilbert@redhat.com> wrote: > > > > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > > > The following changes since commit 1c47613588ccff44422d4bdeea0dc36a0a308ec7: > > > > Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-04-30 19:25:41 +0100) > > > > are available in the Git repository at: > > > > https://gitlab.com/dagrh/qemu.git tags/pull-virtiofs-20200501 > > > > for you to fetch changes up to 66502bbca37ca7a3bfa57e82cfc03b89a7a11eae: > > > > virtiofsd: drop all capabilities in the wait parent process (2020-05-01 20:05:37 +0100) > > > > ---------------------------------------------------------------- > > virtiofsd: Pull 2020-05-01 (includes CVE fix) > > > > This set includes a security fix, other fixes and improvements. > > > > Security fix: > > The security fix is for CVE-2020-10717 where, on low RAM hosts, > > the guest can potentially exceed the maximum fd limit. > > This fix adds some more configuration so that the user > > can explicitly set the limit. > > Thank you to Yuval Avrahami for reporting this. > > > > Fixes: > > > > Recursive mounting of the exported directory is now used in > > the sandbox, such that if there was a mount underneath present at > > the time the virtiofsd was started, that mount is also > > visible to the guest; in the existing code, only mounts that > > happened after startup were visible. > > > > Security improvements: > > > > The jailing for /proc/self/fd is improved - but it's something > > that shouldn't be accessible anyway. > > > > Most capabilities are now dropped at startup; again this shouldn't > > change any behaviour but is extra protection. > > > > ---------------------------------------------------------------- > > > Applied, thanks. > > Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1 > for any user-visible changes. > > I notice you didn't include the usual Cc: qemu-stable@nongnu.org > lines in the commits to be backported, but I think the stable > branch maintainers can deal with the occasional manual notification. Thanks, yes I sent a mail to qemu-stable as a reply to the series saying which patches I thought should be for stable. Dave > thanks > -- PMM > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
© 2016 - 2024 Red Hat, Inc.