lo_setattr() invokes fchmod() in a rarely used code path, so it should
be whitelisted or virtiofsd will crash with EBADSYS.
Said code path can be triggered for example as follows:
On the host, in the shared directory, create a file with the sticky bit
set and a security.capability xattr:
(1) # touch foo
(2) # chmod u+s foo
(3) # setcap '' foo
Then in the guest let some process truncate that file after it has
dropped all of its capabilities (at least CAP_FSETID):
int main(int argc, char *argv[])
{
capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
capng_apply(CAPNG_SELECT_BOTH);
ftruncate(open(argv[1], O_RDWR), 0);
}
This will cause the guest kernel to drop the sticky bit (i.e. perform a
mode change) as part of the truncate (where FATTR_FH is set), and that
will cause virtiofsd to invoke fchmod() instead of fchmodat().
(A similar configuration exists further below with futimens() vs.
utimensat(), but the former is not a syscall but just a wrapper for the
latter, so no further whitelisting is required.)
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
Reported-by: Qian Cai <caiqian@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
---
tools/virtiofsd/seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
index bd9e7b083c..3b1522acdd 100644
--- a/tools/virtiofsd/seccomp.c
+++ b/tools/virtiofsd/seccomp.c
@@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
SCMP_SYS(exit_group),
SCMP_SYS(fallocate),
SCMP_SYS(fchdir),
+ SCMP_SYS(fchmod),
SCMP_SYS(fchmodat),
SCMP_SYS(fchownat),
SCMP_SYS(fcntl),
--
2.26.2
* Max Reitz (mreitz@redhat.com) wrote:
> lo_setattr() invokes fchmod() in a rarely used code path, so it should
> be whitelisted or virtiofsd will crash with EBADSYS.
>
> Said code path can be triggered for example as follows:
>
> On the host, in the shared directory, create a file with the sticky bit
> set and a security.capability xattr:
> (1) # touch foo
> (2) # chmod u+s foo
> (3) # setcap '' foo
>
> Then in the guest let some process truncate that file after it has
> dropped all of its capabilities (at least CAP_FSETID):
>
> int main(int argc, char *argv[])
> {
> capng_setpid(getpid());
> capng_clear(CAPNG_SELECT_BOTH);
> capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
> capng_apply(CAPNG_SELECT_BOTH);
>
> ftruncate(open(argv[1], O_RDWR), 0);
> }
>
> This will cause the guest kernel to drop the sticky bit (i.e. perform a
> mode change) as part of the truncate (where FATTR_FH is set), and that
> will cause virtiofsd to invoke fchmod() instead of fchmodat().
>
> (A similar configuration exists further below with futimens() vs.
> utimensat(), but the former is not a syscall but just a wrapper for the
> latter, so no further whitelisting is required.)
>
> Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
> Reported-by: Qian Cai <caiqian@redhat.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Max Reitz <mreitz@redhat.com>
Nicely found!
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> tools/virtiofsd/seccomp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
> index bd9e7b083c..3b1522acdd 100644
> --- a/tools/virtiofsd/seccomp.c
> +++ b/tools/virtiofsd/seccomp.c
> @@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
> SCMP_SYS(exit_group),
> SCMP_SYS(fallocate),
> SCMP_SYS(fchdir),
> + SCMP_SYS(fchmod),
> SCMP_SYS(fchmodat),
> SCMP_SYS(fchownat),
> SCMP_SYS(fcntl),
> --
> 2.26.2
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
On Mon, Jun 08, 2020 at 11:31:11AM +0200, Max Reitz wrote:
> lo_setattr() invokes fchmod() in a rarely used code path, so it should
> be whitelisted or virtiofsd will crash with EBADSYS.
>
> Said code path can be triggered for example as follows:
>
> On the host, in the shared directory, create a file with the sticky bit
> set and a security.capability xattr:
> (1) # touch foo
> (2) # chmod u+s foo
> (3) # setcap '' foo
>
> Then in the guest let some process truncate that file after it has
> dropped all of its capabilities (at least CAP_FSETID):
>
> int main(int argc, char *argv[])
> {
> capng_setpid(getpid());
> capng_clear(CAPNG_SELECT_BOTH);
> capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
> capng_apply(CAPNG_SELECT_BOTH);
>
> ftruncate(open(argv[1], O_RDWR), 0);
> }
>
> This will cause the guest kernel to drop the sticky bit (i.e. perform a
> mode change) as part of the truncate (where FATTR_FH is set), and that
> will cause virtiofsd to invoke fchmod() instead of fchmodat().
>
> (A similar configuration exists further below with futimens() vs.
> utimensat(), but the former is not a syscall but just a wrapper for the
> latter, so no further whitelisting is required.)
>
> Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
> Reported-by: Qian Cai <caiqian@redhat.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Max Reitz <mreitz@redhat.com>
Nice catch.
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Vivek
> ---
> tools/virtiofsd/seccomp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
> index bd9e7b083c..3b1522acdd 100644
> --- a/tools/virtiofsd/seccomp.c
> +++ b/tools/virtiofsd/seccomp.c
> @@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
> SCMP_SYS(exit_group),
> SCMP_SYS(fallocate),
> SCMP_SYS(fchdir),
> + SCMP_SYS(fchmod),
> SCMP_SYS(fchmodat),
> SCMP_SYS(fchownat),
> SCMP_SYS(fcntl),
> --
> 2.26.2
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
* Max Reitz (mreitz@redhat.com) wrote:
> lo_setattr() invokes fchmod() in a rarely used code path, so it should
> be whitelisted or virtiofsd will crash with EBADSYS.
>
> Said code path can be triggered for example as follows:
>
> On the host, in the shared directory, create a file with the sticky bit
> set and a security.capability xattr:
> (1) # touch foo
> (2) # chmod u+s foo
> (3) # setcap '' foo
>
> Then in the guest let some process truncate that file after it has
> dropped all of its capabilities (at least CAP_FSETID):
>
> int main(int argc, char *argv[])
> {
> capng_setpid(getpid());
> capng_clear(CAPNG_SELECT_BOTH);
> capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, 0);
> capng_apply(CAPNG_SELECT_BOTH);
>
> ftruncate(open(argv[1], O_RDWR), 0);
> }
>
> This will cause the guest kernel to drop the sticky bit (i.e. perform a
> mode change) as part of the truncate (where FATTR_FH is set), and that
> will cause virtiofsd to invoke fchmod() instead of fchmodat().
>
> (A similar configuration exists further below with futimens() vs.
> utimensat(), but the former is not a syscall but just a wrapper for the
> latter, so no further whitelisting is required.)
>
> Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1842667
> Reported-by: Qian Cai <caiqian@redhat.com>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Max Reitz <mreitz@redhat.com>
Queued.
> ---
> tools/virtiofsd/seccomp.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tools/virtiofsd/seccomp.c b/tools/virtiofsd/seccomp.c
> index bd9e7b083c..3b1522acdd 100644
> --- a/tools/virtiofsd/seccomp.c
> +++ b/tools/virtiofsd/seccomp.c
> @@ -42,6 +42,7 @@ static const int syscall_whitelist[] = {
> SCMP_SYS(exit_group),
> SCMP_SYS(fallocate),
> SCMP_SYS(fchdir),
> + SCMP_SYS(fchmod),
> SCMP_SYS(fchmodat),
> SCMP_SYS(fchownat),
> SCMP_SYS(fcntl),
> --
> 2.26.2
>
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
© 2016 - 2024 Red Hat, Inc.