From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Date: Thu, 18 Jun 2020 20:16:55 +0100 [thread overview]
Message-ID: <20200618191655.GI2769@work-vm> (raw)
In-Reply-To: <20200618190816.GD3814@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > whitelisted set of capabilities that we require. This improves security in
> > case virtiofsd is compromised by making it hard for an attacker to gain further
> > access to the system.
>
> Hi Stefan,
>
> I just noticed that this patch set breaks overlayfs on top of virtiofs.
>
> overlayfs sets "trusted.overlay.*" and xattrs in trusted domain
> need CAP_SYS_ADMIN.
>
> man xattr says.
>
> Trusted extended attributes
> Trusted extended attributes are visible and accessible only to pro‐
> cesses that have the CAP_SYS_ADMIN capability. Attributes in this
> class are used to implement mechanisms in user space (i.e., outside the
> kernel) which keep information in extended attributes to which ordinary
> processes should not have access.
>
> There is a chance that overlay moves away from trusted xattr in future.
> But for now we need to make it work. This is an important use case for
> kata docker in docker build.
>
> May be we can add an option to virtiofsd say "--add-cap <capability>" and
> ask user to pass in "--add-cap cap_sys_admin" if they need to run daemon
> with this capaibility.
I'll admit I don't like the idea of giving it cap_sys_admin.
Can you explain:
a) What overlayfs uses trusted for?
b) If something nasty was to write junk into the trusted attributes,
what would happen?
c) I see overlayfs has a fallback check if xattr isn't supported at
all - what is the consequence?
Dave
> Thanks
> Vivek
>
> >
> > Stefan Hajnoczi (2):
> > virtiofsd: only retain file system capabilities
> > virtiofsd: drop all capabilities in the wait parent process
> >
> > tools/virtiofsd/passthrough_ll.c | 51 ++++++++++++++++++++++++++++++++
> > 1 file changed, 51 insertions(+)
> >
> > --
> > 2.25.1
> >
> > _______________________________________________
> > Virtio-fs mailing list
> > Virtio-fs@redhat.com
> > https://www.redhat.com/mailman/listinfo/virtio-fs
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Date: Thu, 18 Jun 2020 20:16:55 +0100 [thread overview]
Message-ID: <20200618191655.GI2769@work-vm> (raw)
In-Reply-To: <20200618190816.GD3814@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > whitelisted set of capabilities that we require. This improves security in
> > case virtiofsd is compromised by making it hard for an attacker to gain further
> > access to the system.
>
> Hi Stefan,
>
> I just noticed that this patch set breaks overlayfs on top of virtiofs.
>
> overlayfs sets "trusted.overlay.*" and xattrs in trusted domain
> need CAP_SYS_ADMIN.
>
> man xattr says.
>
> Trusted extended attributes
> Trusted extended attributes are visible and accessible only to pro‐
> cesses that have the CAP_SYS_ADMIN capability. Attributes in this
> class are used to implement mechanisms in user space (i.e., outside the
> kernel) which keep information in extended attributes to which ordinary
> processes should not have access.
>
> There is a chance that overlay moves away from trusted xattr in future.
> But for now we need to make it work. This is an important use case for
> kata docker in docker build.
>
> May be we can add an option to virtiofsd say "--add-cap <capability>" and
> ask user to pass in "--add-cap cap_sys_admin" if they need to run daemon
> with this capaibility.
I'll admit I don't like the idea of giving it cap_sys_admin.
Can you explain:
a) What overlayfs uses trusted for?
b) If something nasty was to write junk into the trusted attributes,
what would happen?
c) I see overlayfs has a fallback check if xattr isn't supported at
all - what is the consequence?
Dave
> Thanks
> Vivek
>
> >
> > Stefan Hajnoczi (2):
> > virtiofsd: only retain file system capabilities
> > virtiofsd: drop all capabilities in the wait parent process
> >
> > tools/virtiofsd/passthrough_ll.c | 51 ++++++++++++++++++++++++++++++++
> > 1 file changed, 51 insertions(+)
> >
> > --
> > 2.25.1
> >
> > _______________________________________________
> > Virtio-fs mailing list
> > Virtio-fs@redhat.com
> > https://www.redhat.com/mailman/listinfo/virtio-fs
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs@redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2020-06-18 19:16 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-16 16:49 [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-16 16:49 ` [Virtio-fs] [PATCH 1/2] virtiofsd: only retain file system capabilities Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-28 11:48 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-04-28 11:48 ` Dr. David Alan Gilbert
2020-04-16 16:49 ` [Virtio-fs] [PATCH 2/2] virtiofsd: drop all capabilities in the wait parent process Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-16 17:50 ` [Virtio-fs] " Philippe Mathieu-Daudé
2020-04-16 17:50 ` Philippe Mathieu-Daudé
2020-04-16 20:10 ` [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Vivek Goyal
2020-04-16 20:10 ` Vivek Goyal
2020-04-17 9:42 ` [Virtio-fs] " Stefan Hajnoczi
2020-04-17 9:42 ` Stefan Hajnoczi
2020-05-01 18:28 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-05-01 18:28 ` Dr. David Alan Gilbert
2020-06-18 19:08 ` [Virtio-fs] " Vivek Goyal
2020-06-18 19:16 ` Dr. David Alan Gilbert [this message]
2020-06-18 19:16 ` Dr. David Alan Gilbert
2020-06-18 19:27 ` Vivek Goyal
2020-06-18 19:27 ` Vivek Goyal
2020-06-19 4:46 ` Chirantan Ekbote
2020-06-19 4:46 ` Chirantan Ekbote
2020-06-19 8:39 ` Dr. David Alan Gilbert
2020-06-19 9:17 ` Chirantan Ekbote
2020-06-19 11:12 ` Dr. David Alan Gilbert
2020-06-19 19:15 ` Vivek Goyal
2020-06-19 19:15 ` Vivek Goyal
2020-06-25 3:19 ` Chirantan Ekbote
2020-06-25 3:19 ` Chirantan Ekbote
2020-06-25 12:55 ` Vivek Goyal
2020-06-25 12:55 ` Vivek Goyal
2020-07-13 8:54 ` Chirantan Ekbote
2020-07-13 8:54 ` Chirantan Ekbote
2020-07-13 13:39 ` Vivek Goyal
2020-07-13 13:39 ` Vivek Goyal
2020-07-13 21:39 ` Daniel Walsh
2020-07-14 12:33 ` Vivek Goyal
2020-07-14 17:16 ` Daniel Walsh
2020-06-19 8:27 ` Dr. David Alan Gilbert
2020-06-19 8:27 ` Dr. David Alan Gilbert
2020-06-19 11:39 ` Daniel P. Berrangé
2020-06-19 11:39 ` Daniel P. Berrangé
2020-06-19 11:49 ` Dr. David Alan Gilbert
2020-06-19 11:49 ` Dr. David Alan Gilbert
2020-06-19 12:05 ` Daniel P. Berrangé
2020-06-19 12:05 ` Daniel P. Berrangé
2020-06-19 17:41 ` Vivek Goyal
2020-06-19 17:41 ` Vivek Goyal
2020-06-19 19:12 ` Vivek Goyal
2020-06-19 19:12 ` Vivek Goyal
2020-06-26 11:26 ` Dr. David Alan Gilbert
2020-06-26 11:26 ` Dr. David Alan Gilbert
2020-06-19 16:09 ` Vivek Goyal
2020-06-19 16:09 ` Vivek Goyal
2020-06-19 16:16 ` Dr. David Alan Gilbert
2020-06-19 16:16 ` Dr. David Alan Gilbert
2020-06-19 17:11 ` Vivek Goyal
2020-06-19 17:11 ` Vivek Goyal
2020-06-19 17:16 ` Dr. David Alan Gilbert
2020-06-19 17:16 ` Dr. David Alan Gilbert
2020-06-19 14:16 ` Miklos Szeredi
2020-06-19 14:16 ` Miklos Szeredi
2020-06-19 14:25 ` Vivek Goyal
2020-06-19 14:25 ` Vivek Goyal
2020-06-19 15:26 ` Miklos Szeredi
2020-06-19 15:26 ` Miklos Szeredi
2020-06-19 15:57 ` Vivek Goyal
2020-06-19 15:57 ` Vivek Goyal
2020-06-19 14:29 ` Vivek Goyal
2020-06-19 14:29 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618191655.GI2769@work-vm \
--to=dgilbert@redhat.com \
--cc=miklos@szeredi.hu \
--cc=qemu-devel@nongnu.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.