From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360607; cv=none; d=zohomail.com; s=zohoarc; b=RxRIsc8K+XetbKeZl+d3TQ8A/GAp3wEdEPO7kgPcrLcNwKnOBKya/ZoDUEOXEFNCabX0jpO2fMiTltAtAGib+yAlDYTsiu7YGH2S0BG9s9YBmGAK1sJpaNp+8ZrTsdoFxM7QCF1OC2WZ8tYVa0XaD9dxzw1wdXYj/c1CyMzDd8k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360607; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=odmGtRxQk+EqM/HcvrxgC41O+CKxykuhqQN21kGWGz8=; b=mA8wAidECxP7FCx24clTjBi7M4QV3rdV2QO9PmHUI+lyIUYptP+X26CWYr5gCj/1xqGcWU7B9HsAOckpDxqDtogDi6fiAGXCnRF/0Y23EzUq6N6DtWqx7qg2KHZkGazEUrMaQpu1cpS9FjkgXdhaF0jVNyHKLE+Y8ixJwsBr4Ko= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360607340525.134273739683; Fri, 1 May 2020 12:16:47 -0700 (PDT) Received: from localhost ([::1]:35718 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUb9R-0008Bn-KZ for importer@patchew.org; Fri, 01 May 2020 15:16:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33372) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb84-0006Ya-1e for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb82-0008Ud-4c for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:19 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:60408 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb81-0008TD-Kd for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:17 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-194-ZvCHB37WONKomZ4pC32vUg-1; Fri, 01 May 2020 15:15:14 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 743CD45F; Fri, 1 May 2020 19:15:13 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FEB310013BD; Fri, 1 May 2020 19:15:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360516; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=odmGtRxQk+EqM/HcvrxgC41O+CKxykuhqQN21kGWGz8=; b=ilcbAjIa3zCmHD6rexnlZqweKYrPECqdB/6+HWi/mUysVI2fbR3bl3pUhXT8r96HfvVPrW m0Zsm1M0xofP3YLJDR4CFzYO1dE035LOMIwM3yoJGVcuLb+UarJ9tF9ZpjHT+ktbF7oE6c iYpX/5FgcHmu9nC8EuikLdAtOYZpZaw= X-MC-Unique: ZvCHB37WONKomZ4pC32vUg-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 1/6] virtiofsd: add --rlimit-nofile=NUM option Date: Fri, 1 May 2020 20:14:55 +0100 Message-Id: <20200501191500.126432-2-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.61; envelope-from=dgilbert@redhat.com; helo=us-smtp-delivery-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 12:40:15 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Stefan Hajnoczi Make it possible to specify the RLIMIT_NOFILE on the command-line. Users running multiple virtiofsd processes should allocate a certain number to each process so that the system-wide limit can never be exhausted. When this option is set to 0 the rlimit is left at its current value. This is useful when a management tool wants to configure the rlimit itself. The default behavior remains unchanged: try to set the limit to 1,000,000 file descriptors if the current rlimit is lower. Signed-off-by: Stefan Hajnoczi Reviewed-by: Dr. David Alan Gilbert Message-Id: <20200501140644.220940-2-stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/fuse_lowlevel.h | 1 + tools/virtiofsd/helper.c | 23 +++++++++++++++++++++++ tools/virtiofsd/passthrough_ll.c | 22 ++++++++-------------- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/tools/virtiofsd/fuse_lowlevel.h b/tools/virtiofsd/fuse_lowleve= l.h index 8f6d705b5c..562fd5241e 100644 --- a/tools/virtiofsd/fuse_lowlevel.h +++ b/tools/virtiofsd/fuse_lowlevel.h @@ -1777,6 +1777,7 @@ struct fuse_cmdline_opts { int syslog; int log_level; unsigned int max_idle_threads; + unsigned long rlimit_nofile; }; =20 /** diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c index 819c2bc13c..dc59f38af0 100644 --- a/tools/virtiofsd/helper.c +++ b/tools/virtiofsd/helper.c @@ -23,6 +23,8 @@ #include #include #include +#include +#include #include =20 #define FUSE_HELPER_OPT(t, p) \ @@ -53,6 +55,7 @@ static const struct fuse_opt fuse_helper_opts[] =3D { FUSE_HELPER_OPT("subtype=3D", nodefault_subtype), FUSE_OPT_KEY("subtype=3D", FUSE_OPT_KEY_KEEP), FUSE_HELPER_OPT("max_idle_threads=3D%u", max_idle_threads), + FUSE_HELPER_OPT("--rlimit-nofile=3D%lu", rlimit_nofile), FUSE_HELPER_OPT("--syslog", syslog), FUSE_HELPER_OPT_VALUE("log_level=3Ddebug", log_level, FUSE_LOG_DEBUG), FUSE_HELPER_OPT_VALUE("log_level=3Dinfo", log_level, FUSE_LOG_INFO), @@ -171,6 +174,9 @@ void fuse_cmdline_help(void) " default: no_writeback\n" " -o xattr|no_xattr enable/disable xattr\n" " default: no_xattr\n" + " --rlimit-nofile=3D set maximum number of file de= scriptors\n" + " (0 leaves rlimit unchanged)\n" + " default: 1,000,000 if the curre= nt rlimit is lower\n" ); } =20 @@ -191,11 +197,28 @@ static int fuse_helper_opt_proc(void *data, const cha= r *arg, int key, } } =20 +static unsigned long get_default_rlimit_nofile(void) +{ + rlim_t max_fds =3D 1000000; /* our default RLIMIT_NOFILE target */ + struct rlimit rlim; + + if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { + fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); + exit(1); + } + + if (rlim.rlim_cur >=3D max_fds) { + return 0; /* we have more fds available than required! */ + } + return max_fds; +} + int fuse_parse_cmdline(struct fuse_args *args, struct fuse_cmdline_opts *o= pts) { memset(opts, 0, sizeof(struct fuse_cmdline_opts)); =20 opts->max_idle_threads =3D 10; + opts->rlimit_nofile =3D get_default_rlimit_nofile(); opts->foreground =3D 1; =20 if (fuse_opt_parse(args, opts, fuse_helper_opts, fuse_helper_opt_proc)= =3D=3D diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index 4c35c95b25..f7b9c1d20c 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2707,24 +2707,18 @@ static void setup_sandbox(struct lo_data *lo, struc= t fuse_session *se, setup_seccomp(enable_syslog); } =20 -/* Raise the maximum number of open file descriptors */ -static void setup_nofile_rlimit(void) +/* Set the maximum number of open file descriptors */ +static void setup_nofile_rlimit(unsigned long rlimit_nofile) { - const rlim_t max_fds =3D 1000000; - struct rlimit rlim; - - if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { - fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); - exit(1); - } + struct rlimit rlim =3D { + .rlim_cur =3D rlimit_nofile, + .rlim_max =3D rlimit_nofile, + }; =20 - if (rlim.rlim_cur >=3D max_fds) { + if (rlimit_nofile =3D=3D 0) { return; /* nothing to do */ } =20 - rlim.rlim_cur =3D max_fds; - rlim.rlim_max =3D max_fds; - if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) { /* Ignore SELinux denials */ if (errno =3D=3D EPERM) { @@ -2977,7 +2971,7 @@ int main(int argc, char *argv[]) =20 fuse_daemonize(opts.foreground); =20 - setup_nofile_rlimit(); + setup_nofile_rlimit(opts.rlimit_nofile); =20 /* Must be before sandbox since it wants /proc */ setup_capng(); --=20 2.26.2 From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360736; cv=none; d=zohomail.com; s=zohoarc; b=cMihvMKUIAnomaPfRJ1GJlgKlXBwCwK3RGIQ8SH8wtXUv86Dj9vTOF5y8Nzj4gIlmGetG/e1Ya21BcxZ9R0Ftipha2Eyk4txe9nMJFlJgTE9BaBxrY+6g1wDbsHJd4FoOie2LXn5eySB7GYIsLJ56jce7E/tbudtUPR8ViHosZI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360736; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=a7tlgW/RV4oirjcdS6rirP8fOn1hpnptskhP1fFJ9kE=; b=nG+pScu3bRO5ebt8sKEnwehY7e2YmwadnW4p7RLHuwIl3yQ1LwQcUg+ssY/K3EPwPw2H3zPlV0Xbxa8OLZgh62FqLWo5bq7VraRx4M/mst8jd0NQgXc9y2we87/Tr3qniYtR70nYawGJaCsdSsMyxlwWVKXxGOzzAliCc7P+wS4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360736942356.3756849265036; Fri, 1 May 2020 12:18:56 -0700 (PDT) Received: from localhost ([::1]:43100 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUbBW-0002yB-Eu for importer@patchew.org; Fri, 01 May 2020 15:18:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33404) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb87-0006eZ-T5 for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb86-00007s-3T for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:23 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:44819 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb85-00005h-LZ for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:21 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-460-7GzpNJYTNVys9wAnzSwwLA-1; Fri, 01 May 2020 15:15:15 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F3BBBA0C06; Fri, 1 May 2020 19:15:14 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id BE2641002382; Fri, 1 May 2020 19:15:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a7tlgW/RV4oirjcdS6rirP8fOn1hpnptskhP1fFJ9kE=; b=XXMrURoRGSKNJwXcx+zg1qEPQVwsXD2lDMC/8NMuwHp2f42eai3EiHpfRCVhFk4t58Trdd Bz33EirmjXXivNaNq+5mFH/Uhn/Lfb0sHBO67x+DNW9PnJy9ZsqUW+KXqFloIOQjGSugVT h7rdegeUYiAfKMA1SCLNNCoQCkSbSgo= X-MC-Unique: 7GzpNJYTNVys9wAnzSwwLA-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 2/6] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) Date: Fri, 1 May 2020 20:14:56 +0100 Message-Id: <20200501191500.126432-3-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=dgilbert@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 08:22:51 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Stefan Hajnoczi The system-wide fs.file-max sysctl value determines how many files can be open. It defaults to a value calculated based on the machine's RAM size. Previously virtiofsd would try to set RLIMIT_NOFILE to 1,000,000 and this allowed the FUSE client to exhaust the number of open files system-wide on Linux hosts with less than 10 GB of RAM! Take fs.file-max into account when choosing the default RLIMIT_NOFILE value. Fixes: CVE-2020-10717 Reported-by: Yuval Avrahami Signed-off-by: Stefan Hajnoczi Reviewed-by: Dr. David Alan Gilbert Message-Id: <20200501140644.220940-3-stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/helper.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c index dc59f38af0..00a1ef666a 100644 --- a/tools/virtiofsd/helper.c +++ b/tools/virtiofsd/helper.c @@ -176,7 +176,8 @@ void fuse_cmdline_help(void) " default: no_xattr\n" " --rlimit-nofile=3D set maximum number of file de= scriptors\n" " (0 leaves rlimit unchanged)\n" - " default: 1,000,000 if the curre= nt rlimit is lower\n" + " default: min(1000000, fs.file-m= ax - 16384)\n" + " if the current rlimit = is lower\n" ); } =20 @@ -199,9 +200,32 @@ static int fuse_helper_opt_proc(void *data, const char= *arg, int key, =20 static unsigned long get_default_rlimit_nofile(void) { + g_autofree gchar *file_max_str =3D NULL; + const rlim_t reserved_fds =3D 16384; /* leave at least this many fds f= ree */ rlim_t max_fds =3D 1000000; /* our default RLIMIT_NOFILE target */ + rlim_t file_max; struct rlimit rlim; =20 + /* + * Reduce max_fds below the system-wide maximum, if necessary. This + * ensures there are fds available for other processes so we don't + * cause resource exhaustion. + */ + if (!g_file_get_contents("/proc/sys/fs/file-max", &file_max_str, + NULL, NULL)) { + fuse_log(FUSE_LOG_ERR, "can't read /proc/sys/fs/file-max\n"); + exit(1); + } + file_max =3D g_ascii_strtoull(file_max_str, NULL, 10); + if (file_max < 2 * reserved_fds) { + fuse_log(FUSE_LOG_ERR, + "The fs.file-max sysctl is too low (%lu) to allow a " + "reasonable number of open files.\n", + (unsigned long)file_max); + exit(1); + } + max_fds =3D MIN(file_max - reserved_fds, max_fds); + if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) { fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n"); exit(1); --=20 2.26.2 From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360737; cv=none; d=zohomail.com; s=zohoarc; b=awclSjUCzglUTxeBiljs2vK/pZ5o41rE0M44lNMV6ETnNPE1HtI3V1Qoy077W/dBohb8SgN7xxDmns2noaRwm/mTr3+CT0KaVKeHkdCBW8m9nm3iqaYaxTHrDpNo6y03ugRriAUraIEcZiwdXQ/V1hlGL9l/esHfmZWhriVETpI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360737; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=zteTfA7zZtn3nnO6RlPjKvIiRXQcvA5/CVIFdyzVXno=; b=U/u+d1IFG9RDhCofKxIvklyF4UwBCRUO0qmlsnVrVhR6c6DzMonUYMlMUT+y8wT+eeg07wyOj8Q+1zCNQb45vs5WGwA73llcHT4E1qC7Rs5aRgYuHFzlHBc4zPK3WqNaTPE6PrSWHFsKY/P62Sa0vgwLWQgudrKOoPKLnlAw/VA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360737048552.2019784539604; Fri, 1 May 2020 12:18:57 -0700 (PDT) Received: from localhost ([::1]:43116 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUbBW-0002yT-P5 for importer@patchew.org; Fri, 01 May 2020 15:18:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33400) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb87-0006eB-MU for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb85-00007b-Ol for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:23 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:27216 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb85-000052-9h for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:21 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-328-u0gqWlE6N6yBmIxjBT_JoA-1; Fri, 01 May 2020 15:15:17 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 81A5D18FE870; Fri, 1 May 2020 19:15:16 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id 486E31001B2C; Fri, 1 May 2020 19:15:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zteTfA7zZtn3nnO6RlPjKvIiRXQcvA5/CVIFdyzVXno=; b=caXAjSV9x6NYWN7ALD4iwU8hsqmvmX8KCYth+sJi/34VEB+M0dH9pSM8xMQ2Kb23k/56RO pvSLXtyosQB8/vksyAJUrruzVtKUXouz+D2IApns1hVRc6xt/8Y/GqXgCjFM/SgbcaMMpE sfzsAvFDx0DzksMR8Yh3YaiGWJkpSYc= X-MC-Unique: u0gqWlE6N6yBmIxjBT_JoA-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 3/6] virtiofsd: jail lo->proc_self_fd Date: Fri, 1 May 2020 20:14:57 +0100 Message-Id: <20200501191500.126432-4-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.61; envelope-from=dgilbert@redhat.com; helo=us-smtp-delivery-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 12:40:15 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Miklos Szeredi While it's not possible to escape the proc filesystem through lo->proc_self_fd, it is possible to escape to the root of the proc filesystem itself through "../..". Use a temporary mount for opening lo->proc_self_fd, that has it's root at /proc/self/fd/, preventing access to the ancestor directories. Signed-off-by: Miklos Szeredi Message-Id: <20200429124733.22488-1-mszeredi@redhat.com> Reviewed-by: Stefan Hajnoczi Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index f7b9c1d20c..d7a6474b6e 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2536,6 +2536,8 @@ static void print_capabilities(void) static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) { pid_t child; + char template[] =3D "virtiofsd-XXXXXX"; + char *tmpdir; =20 /* * Create a new pid namespace for *child* processes. We'll have to @@ -2597,12 +2599,33 @@ static void setup_namespaces(struct lo_data *lo, st= ruct fuse_session *se) exit(1); } =20 + tmpdir =3D mkdtemp(template); + if (!tmpdir) { + fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template); + exit(1); + } + + if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) { + fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n", + tmpdir); + exit(1); + } + /* Now we can get our /proc/self/fd directory file descriptor */ - lo->proc_self_fd =3D open("/proc/self/fd", O_PATH); + lo->proc_self_fd =3D open(tmpdir, O_PATH); if (lo->proc_self_fd =3D=3D -1) { - fuse_log(FUSE_LOG_ERR, "open(/proc/self/fd, O_PATH): %m\n"); + fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir); exit(1); } + + if (umount2(tmpdir, MNT_DETACH) < 0) { + fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir); + exit(1); + } + + if (rmdir(tmpdir) < 0) { + fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir); + } } =20 /* --=20 2.26.2 From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360612; cv=none; d=zohomail.com; s=zohoarc; b=ZSoOrB2Hrt0e73r4OsQlfCRFCWW1GQpHZwag7UOrXOw4RupLL1VjPkjU5msMn2IIVcps/MxCNfJENToftMXUlx6IerAiYjv/QefjXHM7ytY1ME1/tVvjE+IZF3Iznv/2CXLg1hi6Lxe/9tu/hIA+tdqynqfHWQ/G1Gme4AQVUOE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360612; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=hsgnZnnZTeW/j8EemRxHfSaBhcpBiLBvUyYJvSada90=; b=nLIOMc8XvsLxFAIUI14LdFPpvUSbkvPEJUeaWDiFzUPD2AjYbbV6o7yJwl6gfezPHDN89aENPKHmZZVWfDrBPjf9DDJxoI8CcPJwNleXpjbP4JkggMK+Oilcu4jwvRBE102eJbh5aiZDzuUxQTsJaREpNYSmWSUPV10qz9gCeTY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360612325572.8707329430424; Fri, 1 May 2020 12:16:52 -0700 (PDT) Received: from localhost ([::1]:36070 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUb9W-0008KZ-WC for importer@patchew.org; Fri, 01 May 2020 15:16:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33408) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb88-0006fS-94 for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb86-00008D-NI for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:23 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:48871 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb86-00006s-7s for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:22 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-261-TXZwOopCOoO7Yen85PxxwA-1; Fri, 01 May 2020 15:15:19 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 07AFE46B; Fri, 1 May 2020 19:15:18 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id C7DAD1002396; Fri, 1 May 2020 19:15:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360521; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hsgnZnnZTeW/j8EemRxHfSaBhcpBiLBvUyYJvSada90=; b=JKKyeUojtc1HzXHP0KRKpC1oGxJ2yPUbB+0DQFT9F+mNiKaUBPXH50fVKgPnFGAmIcoeoX gKWOuu4LSVvzpy7LKCAnkENKgD2fGE19Jj50gMy0rf5s78PL4YWwdHkLQ40Zy9oCwMoaSA +WCVblZi07lLbc605QQJtnqLOMsvtfc= X-MC-Unique: TXZwOopCOoO7Yen85PxxwA-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 4/6] virtiofsd: Show submounts Date: Fri, 1 May 2020 20:14:58 +0100 Message-Id: <20200501191500.126432-5-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=207.211.31.81; envelope-from=dgilbert@redhat.com; helo=us-smtp-delivery-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 13:42:47 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.81 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Max Reitz Currently, setup_mounts() bind-mounts the shared directory without MS_REC. This makes all submounts disappear. Pass MS_REC so that the guest can see submounts again. Fixes: 5baa3b8e95064c2434bd9e2f312edd5e9ae275dc Signed-off-by: Max Reitz Message-Id: <20200424133516.73077-1-mreitz@redhat.com> Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Dr. David Alan Gilbert Changed Fixes to point to the commit with the problem rather than the commit that turned it on --- tools/virtiofsd/passthrough_ll.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index d7a6474b6e..7873692168 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2666,7 +2666,7 @@ static void setup_mounts(const char *source) int oldroot; int newroot; =20 - if (mount(source, source, NULL, MS_BIND, NULL) < 0) { + if (mount(source, source, NULL, MS_BIND | MS_REC, NULL) < 0) { fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, sou= rce); exit(1); } --=20 2.26.2 From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360865; cv=none; d=zohomail.com; s=zohoarc; b=nBJxXV6Q8Q77Ib8bra06L4+TtOHtBJI8gO+8I0uGa7O7Bvd/adjTdBT7Y1WKd1MmYeizgCLUOSRWznCvuKx/37p2jMmcQS6y8MBxuSS/s2VAucoK8HC06xlWOfToutibS99GES9s7GGbZfT2yZj18WXAFFgqz2+qJG/0xQSM0EQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360865; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=iz1+575CZTAwF4/10qO3yMqVxn8dKAPijQXPhGnAxMs=; b=DWr5N74S28gQo5YLw8kLVtboipY0rz45qy3tL6Q5PsDdFlO6G9z8z04TLDlLDeTDFLS0IrgqkLYHaLIj6khK9a0mcJT07jgY9gA3RoSDC+jSw7oZaukluO/N9YF8vTtEvXo9Dc3FoFGiwK2fRadYLZJnA/aax1lzl6I1UB3u9Ww= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360865094290.06176149474436; Fri, 1 May 2020 12:21:05 -0700 (PDT) Received: from localhost ([::1]:47434 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUbDb-00056p-Tb for importer@patchew.org; Fri, 01 May 2020 15:21:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33428) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb8B-0006lj-6K for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb8A-0000B1-A5 for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:26 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:34502 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb89-0000AD-QS for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:25 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-351-n_IFVKRNOfCm3Dk7rru0TQ-1; Fri, 01 May 2020 15:15:20 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 86576107ACF3; Fri, 1 May 2020 19:15:19 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id 545B710013BD; Fri, 1 May 2020 19:15:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iz1+575CZTAwF4/10qO3yMqVxn8dKAPijQXPhGnAxMs=; b=XqoMIc+/WKj3+zVAAb9zW+mIMSmmoJggWwv9mnhevf8zrgR9/WOtUTZEEVmCaaJrKUIuni rIsMzSv9kwK0sdNaWPZOR20LnXrzqKjDHNtlqV/o7A1AtXfkYs5JGZzgI/zWtYWVknq9cq HPT75SF1czNvC3akaK2sts0FrntFGQk= X-MC-Unique: n_IFVKRNOfCm3Dk7rru0TQ-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 5/6] virtiofsd: only retain file system capabilities Date: Fri, 1 May 2020 20:14:59 +0100 Message-Id: <20200501191500.126432-6-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=207.211.31.120; envelope-from=dgilbert@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 14:29:11 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Stefan Hajnoczi virtiofsd runs as root but only needs a subset of root's Linux capabilities(7). As a file server its purpose is to create and access files on behalf of a client. It needs to be able to access files with arbitrary uid/gid owners. It also needs to be create device nodes. Introduce a Linux capabilities(7) whitelist and drop all capabilities that we don't need, making the virtiofsd process less powerful than a regular uid root process. # cat /proc/PID/status ... Before After CapInh: 0000000000000000 0000000000000000 CapPrm: 0000003fffffffff 00000000880000df CapEff: 0000003fffffffff 00000000880000df CapBnd: 0000003fffffffff 0000000000000000 CapAmb: 0000000000000000 0000000000000000 Note that file capabilities cannot be used to achieve the same effect on the virtiofsd executable because mount is used during sandbox setup. Therefore we drop capabilities programmatically at the right point during startup. This patch only affects the sandboxed child process. The parent process that sits in waitpid(2) still has full root capabilities and will be addressed in the next patch. Signed-off-by: Stefan Hajnoczi Message-Id: <20200416164907.244868-2-stefanha@redhat.com> Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/passthrough_ll.c | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index 7873692168..e49650b63d 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2718,6 +2718,43 @@ static void setup_mounts(const char *source) close(oldroot); } =20 +/* + * Only keep whitelisted capabilities that are needed for file system oper= ation + */ +static void setup_capabilities(void) +{ + pthread_mutex_lock(&cap.mutex); + capng_restore_state(&cap.saved); + + /* + * Whitelist file system-related capabilities that are needed for a fi= le + * server to act like root. Drop everything else like networking and + * sysadmin capabilities. + * + * Exclusions: + * 1. CAP_LINUX_IMMUTABLE is not included because it's only used via i= octl + * and we don't support that. + * 2. CAP_MAC_OVERRIDE is not included because it only seems to be + * used by the Smack LSM. Omit it until there is demand for it. + */ + capng_setpid(syscall(SYS_gettid)); + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, + CAP_CHOWN, + CAP_DAC_OVERRIDE, + CAP_DAC_READ_SEARCH, + CAP_FOWNER, + CAP_FSETID, + CAP_SETGID, + CAP_SETUID, + CAP_MKNOD, + CAP_SETFCAP); + capng_apply(CAPNG_SELECT_BOTH); + + cap.saved =3D capng_save_state(); + pthread_mutex_unlock(&cap.mutex); +} + /* * Lock down this process to prevent access to other processes or files ou= tside * source directory. This reduces the impact of arbitrary code execution = bugs. @@ -2728,6 +2765,7 @@ static void setup_sandbox(struct lo_data *lo, struct = fuse_session *se, setup_namespaces(lo, se); setup_mounts(lo->source); setup_seccomp(enable_syslog); + setup_capabilities(); } =20 /* Set the maximum number of open file descriptors */ --=20 2.26.2 From nobody Sat May 18 06:31:25 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1588360865; cv=none; d=zohomail.com; s=zohoarc; b=LAQhp2lWBRHEbOWtrFtYHAaKGQonX9L1eTXUAUuBOeV3ZIlvnuKErJ+FKrOXOAQZmATxIFF4vLt3nInkfabCavOGSijYqplkJPD8TExit1g5IZgZpUenxmpvpNpzHCCjXFzW/b1z2j2C03onVKX5tfXgKqPf2zLl5GrcZtcs0m4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588360865; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=4EXg3g0TJQ0fzkN/YF/vUs7KPqWl/4bai/hbrgPx4Kw=; b=Qvnrlay3I9UhurOMou2IJnQAnW4neT0cFnLuiXQIwU7BCVe2zIIozLj3A2JbNqbF+3Y56sxrE99+5TTtRm4DGXfCN+gRUZYib78xucXcvDccV2L13uIucF9NYZ7rB2wzfCWacSjXaRdQiyRTKn4kBKSOvQOVb1Si8KzZfwqBX0Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588360865179932.6711257418116; Fri, 1 May 2020 12:21:05 -0700 (PDT) Received: from localhost ([::1]:47412 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUbDb-00056K-S7 for importer@patchew.org; Fri, 01 May 2020 15:21:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33422) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUb8A-0006kD-Jn for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUb89-0000Aj-Ue for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:26 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:22912 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1jUb89-0000A4-EU for qemu-devel@nongnu.org; Fri, 01 May 2020 15:15:25 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-36-C1D59UdIPb2edws58G-W0Q-1; Fri, 01 May 2020 15:15:22 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 196AFA0C13; Fri, 1 May 2020 19:15:21 +0000 (UTC) Received: from dgilbert-t580.localhost (ovpn-112-191.ams2.redhat.com [10.36.112.191]) by smtp.corp.redhat.com (Postfix) with ESMTP id D04E910013BD; Fri, 1 May 2020 19:15:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588360524; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4EXg3g0TJQ0fzkN/YF/vUs7KPqWl/4bai/hbrgPx4Kw=; b=PnUxdZKeuTfetF4QnpWq/u1pfZ6U/u+645Ar5Kjt1sBN1M3AZpMbPTOv3aJH63eJ2oC2BX mDSygKUMW8/RVjAUQmOQ0Y8HjAeeak6Iz/3nYzpps76hI6zNLcoQPWq8TJzWJ2V88T0xNy ylCVMRpiGEFAenYPpZUMDMBlyugSxXA= X-MC-Unique: C1D59UdIPb2edws58G-W0Q-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, stefanha@redhat.com, yavrahami@paloaltonetworks.com, mszeredi@redhat.com, mreitz@redhat.com Subject: [PULL 6/6] virtiofsd: drop all capabilities in the wait parent process Date: Fri, 1 May 2020 20:15:00 +0100 Message-Id: <20200501191500.126432-7-dgilbert@redhat.com> In-Reply-To: <20200501191500.126432-1-dgilbert@redhat.com> References: <20200501191500.126432-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=205.139.110.120; envelope-from=dgilbert@redhat.com; helo=us-smtp-1.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 08:22:51 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" From: Stefan Hajnoczi All this process does is wait for its child. No capabilities are needed. Signed-off-by: Stefan Hajnoczi Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/passthrough_ll.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index e49650b63d..3ba1d90984 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2530,6 +2530,17 @@ static void print_capabilities(void) printf("}\n"); } =20 +/* + * Drop all Linux capabilities because the wait parent process only needs = to + * sit in waitpid(2) and terminate. + */ +static void setup_wait_parent_capabilities(void) +{ + capng_setpid(syscall(SYS_gettid)); + capng_clear(CAPNG_SELECT_BOTH); + capng_apply(CAPNG_SELECT_BOTH); +} + /* * Move to a new mount, net, and pid namespaces to isolate this process. */ @@ -2563,6 +2574,8 @@ static void setup_namespaces(struct lo_data *lo, stru= ct fuse_session *se) pid_t waited; int wstatus; =20 + setup_wait_parent_capabilities(); + /* The parent waits for the child */ do { waited =3D waitpid(child, &wstatus, 0); --=20 2.26.2