From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, renzhen@linux.alibaba.com,
eguan@linux.alibaba.com, ganesh.mahalingam@intel.com,
m.mizuma@jp.fujitsu.com, mszeredi@redhat.com,
misono.tomohiro@jp.fujitsu.com, tao.peng@linux.alibaba.com,
piaojun@huawei.com, stefanha@redhat.com, vgoyal@redhat.com,
mst@redhat.com, berrange@redhat.com
Subject: [PATCH 00/25] virtiofs daemon (security)
Date: Thu, 24 Oct 2019 12:26:53 +0100 [thread overview]
Message-ID: <20191024112718.34657-1-dgilbert@redhat.com> (raw)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Hi,
This is the 2nd set for the virtiofsd - this set sits
on top of the 'base' set recently posted. Most of the changes
in the set are security related (with a couple more tagging
along because they were hard to separate).
Stefan's main chunks make the daemon check the input from
the guest; the upstream fuse code is much more trusting
about what it gets from the kernel; here the security
equation is inverted and the daemon is more trusted.
In adition the daemon now gets sandboxing/namespacing/seccomp
limited to stop anything escaping.
With this set virtiofsd is reasonably safe to use; we've
got some bug fixes (including some threading fixes) to send
as well though.
Dave
Dr. David Alan Gilbert (2):
virtiofsd: Plumb fuse_bufvec through to do_write_buf
virtiofsd: Pass write iov's all the way through
Eryu Guan (1):
virtiofsd: print log only when priority is high enough
Miklos Szeredi (1):
virtiofsd: passthrough_ll: add fallback for racy ops
Stefan Hajnoczi (18):
virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers
virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers
virtiofsd: passthrough_ll: add fd_map to hide file descriptors
virtiofsd: validate path components
virtiofsd: add fuse_mbuf_iter API
virtiofsd: validate input buffer sizes in do_write_buf()
virtiofsd: check input buffer size in fuse_lowlevel.c ops
virtiofsd: prevent ".." escape in lo_do_lookup()
virtiofsd: prevent ".." escape in lo_do_readdir()
virtiofsd: use /proc/self/fd/ O_PATH file descriptor
virtiofsd: sandbox mount namespace
virtiofsd: move to an empty network namespace
virtiofsd: move to a new pid namespace
virtiofsd: add seccomp whitelist
virtiofsd: set maximum RLIMIT_NOFILE limit
virtiofsd: add security guide document
virtiofsd: add --syslog command-line option
Vivek Goyal (3):
virtiofsd: passthrough_ll: create new files in caller's context
virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV
virtiofsd: Drop CAP_FSETID if client asked for it
contrib/virtiofsd/Makefile.objs | 7 +-
contrib/virtiofsd/buffer.c | 28 +
contrib/virtiofsd/fuse_common.h | 53 +-
contrib/virtiofsd/fuse_i.h | 2 +-
contrib/virtiofsd/fuse_log.c | 4 +
contrib/virtiofsd/fuse_lowlevel.c | 779 +++++++++++-----
contrib/virtiofsd/fuse_lowlevel.h | 2 +
contrib/virtiofsd/fuse_virtio.c | 72 +-
contrib/virtiofsd/helper.c | 11 +-
contrib/virtiofsd/passthrough_ll.c | 1317 ++++++++++++++++++++++++----
contrib/virtiofsd/seccomp.c | 146 +++
contrib/virtiofsd/seccomp.h | 16 +
contrib/virtiofsd/security.rst | 108 +++
13 files changed, 2152 insertions(+), 393 deletions(-)
create mode 100644 contrib/virtiofsd/seccomp.c
create mode 100644 contrib/virtiofsd/seccomp.h
create mode 100644 contrib/virtiofsd/security.rst
--
2.23.0
next reply other threads:[~2019-10-24 13:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 11:26 Dr. David Alan Gilbert (git) [this message]
2019-10-24 11:26 ` [PATCH 01/25] virtiofsd: passthrough_ll: create new files in caller's context Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 02/25] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 03/25] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 05/25] virtiofsd: passthrough_ll: add fd_map to hide file descriptors Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 06/25] virtiofsd: passthrough_ll: add fallback for racy ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 07/25] virtiofsd: validate path components Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 08/25] virtiofsd: Plumb fuse_bufvec through to do_write_buf Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 09/25] virtiofsd: Pass write iov's all the way through Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 10/25] virtiofsd: add fuse_mbuf_iter API Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 11/25] virtiofsd: validate input buffer sizes in do_write_buf() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 16/25] virtiofsd: sandbox mount namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 17/25] virtiofsd: move to an empty network namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 18/25] virtiofsd: move to a new pid namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 19/25] virtiofsd: add seccomp whitelist Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 23/25] virtiofsd: add security guide document Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 24/25] virtiofsd: add --syslog command-line option Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 25/25] virtiofsd: print log only when priority is high enough Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024112718.34657-1-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=eguan@linux.alibaba.com \
--cc=ganesh.mahalingam@intel.com \
--cc=m.mizuma@jp.fujitsu.com \
--cc=misono.tomohiro@jp.fujitsu.com \
--cc=mst@redhat.com \
--cc=mszeredi@redhat.com \
--cc=piaojun@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=renzhen@linux.alibaba.com \
--cc=stefanha@redhat.com \
--cc=tao.peng@linux.alibaba.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.