From nobody Sat May 18 08:46:57 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1588357802; cv=none; d=zohomail.com; s=zohoarc; b=H2R9g+6QyUa1L6nPu1/MBuiJLzXAXA9CI1sg3yTJufdeibbf5qoOyX/I8+pVua9iKxNzg+tX1nLFGCuSfMaIfUZfaleZhPlvE8UnvCG6LHI0V8iVRtz2ibhsx3prU1tXnlkJsAAiEqDL8ICLMc1e4EFnPzzLASOme8IXMWReLbo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1588357802; h=Content-Type:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=qjPhLL07ti+2rtfeUC9T1YrxMEKHn3t7IxDxXG4FVss=; b=hcUnPInBpH3xapmYf1T5AD4IrI7pJzMkYz0Uz24pvkMwvKTPA8A/Kscal92h6TccIS5jcv7ux5gdSoKgPcIviRaQ55HamdYc8r0Dnu4D/h43ZjXr3AU5LYwXOeF0Al9vY8QsUz3fHAUfQo7Ve5MMekS9rwHwZrkAUmxyoLjdduQ= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1588357802017665.8023361923816; Fri, 1 May 2020 11:30:02 -0700 (PDT) Received: from localhost ([::1]:33804 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUaQC-0007QZ-4E for importer@patchew.org; Fri, 01 May 2020 14:30:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51176) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUaPK-0006rB-B5 for qemu-devel@nongnu.org; Fri, 01 May 2020 14:29:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUaMY-00038G-Rn for qemu-devel@nongnu.org; Fri, 01 May 2020 14:29:06 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:33285) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUaMY-0002wj-6I for qemu-devel@nongnu.org; Fri, 01 May 2020 14:26:14 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id A5A6B7BD; Fri, 1 May 2020 14:26:10 -0400 (EDT) Received: from imap21 ([10.202.2.71]) by compute1.internal (MEProxy); Fri, 01 May 2020 14:26:10 -0400 Received: by mailuser.nyi.internal (Postfix, from userid 501) id C57A5660081; Fri, 1 May 2020 14:26:09 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=qjPhLL07ti+2rtfeUC9T1YrxMEKHn 3t7IxDxXG4FVss=; b=ELvzdSMmVygnRICQTEldK8HDDx+gRyZGo+4Nhb/U3YH8q 9hlCm0+sYPqEqwrC8z77AovdLCDq8KRIIoeHNgCvBnjW/EcWmaPQWb8c9UxwHRRW fI7epvkidYXKCpGRzWEh53MwTZo0uBixgsNZ6W7BvXdiKWwoETcs3n/3wPVgfGWD 1bArr0ZQq852yJsTje/smc6j5YyKhYSnL4WficTPEauISf8U052uIPFmpJW9KNJm TGNf0YEUI0v0gDkWJF/JxDgHvAAsBn2eBtMWHF5JNoLYjpy9kXGeSZ7/d8WB0qY/ A+jIzsb1HonAEWwlpwCE/iE7hHfF9wR5h+C3P7P4A== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieejgdduvddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkfffhvffutgesthdtredtreertdenucfhrhhomhepfdevohhlihhn ucghrghlthgvrhhsfdcuoeifrghlthgvrhhssehvvghrsghumhdrohhrgheqnecuggftrf grthhtvghrnhepueefhfeiudelffefveefgfeiheffvdeujeekheejleetfeefhfettdeh udelffegnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeifrghlthgvrhhssehvvghrsghumhdr ohhrgh X-ME-Proxy: X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1 Mime-Version: 1.0 Message-Id: <348d4774-bd5f-4832-bd7e-a21491fdac8d@www.fastmail.com> Date: Fri, 01 May 2020 14:25:48 -0400 From: "Colin Walters" To: qemu-devel@nongnu.org Subject: [PATCH] virtiofsd: Use clone() and not unshare(), support non-root Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=64.147.123.21; envelope-from=walters@verbum.org; helo=wout5-smtp.messagingengine.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/01 14:26:11 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 64.147.123.21 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Dr. David Alan Gilbert" , Stefan Hajnoczi Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" I'd like to make use of virtiofs as part of our tooling in https://github.com/coreos/coreos-assembler Most of the code runs as non-root today; qemu also runs as non-root. We use 9p right now. virtiofsd's builtin sandboxing effectively assumes it runs as root. First, change the code to use `clone()` and not `unshare()+fork()`. Next, automatically use `CLONE_NEWUSER` if we're running as non root. This is similar logic to that in https://github.com/containers/bubblewrap (Which...BTW, it could make sense for virtiofs to depend on bubblewrap and re-exec itself rather than re-implementing the containerization itself) Signed-off-by: Colin Walters --- tools/virtiofsd/passthrough_ll.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index 4c35c95b25..468617f6d6 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2530,6 +2530,21 @@ static void print_capabilities(void) printf("}\n"); } =20 +/* Copied from bubblewrap */ +static int +raw_clone(unsigned long flags, void *child_stack) +{ +#if defined(__s390__) || defined(__CRIS__) + /* + * On s390 and cris the order of the first and second arguments + * of the raw clone() system call is reversed. + */ + return (int) syscall(__NR_clone, child_stack, flags); +#else + return (int) syscall(__NR_clone, flags, child_stack); +#endif +} + /* * Move to a new mount, net, and pid namespaces to isolate this process. */ @@ -2547,14 +2562,15 @@ static void setup_namespaces(struct lo_data *lo, st= ruct fuse_session *se) * an empty network namespace to prevent TCP/IP and other network * activity in case this process is compromised. */ - if (unshare(CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET) !=3D 0) { - fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWPID | CLONE_NEWNS): %m\n"= ); - exit(1); + int clone_flags =3D SIGCHLD | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNE= T; + /* If we're non root, we need a new user namespace */ + if (getuid() !=3D 0) { + clone_flags |=3D CLONE_NEWUSER; } =20 - child =3D fork(); + child =3D raw_clone(clone_flags, NULL); if (child < 0) { - fuse_log(FUSE_LOG_ERR, "fork() failed: %m\n"); + fuse_log(FUSE_LOG_ERR, "clone() failed: %m\n"); exit(1); } if (child > 0) { --=20 2.24.1