From: Vivek Goyal <vgoyal@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Date: Thu, 18 Jun 2020 15:27:17 -0400 [thread overview]
Message-ID: <20200618192717.GE3814@redhat.com> (raw)
In-Reply-To: <20200618191655.GI2769@work-vm>
On Thu, Jun 18, 2020 at 08:16:55PM +0100, Dr. David Alan Gilbert wrote:
> * Vivek Goyal (vgoyal@redhat.com) wrote:
> > On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > > whitelisted set of capabilities that we require. This improves security in
> > > case virtiofsd is compromised by making it hard for an attacker to gain further
> > > access to the system.
> >
> > Hi Stefan,
> >
> > I just noticed that this patch set breaks overlayfs on top of virtiofs.
> >
> > overlayfs sets "trusted.overlay.*" and xattrs in trusted domain
> > need CAP_SYS_ADMIN.
> >
> > man xattr says.
> >
> > Trusted extended attributes
> > Trusted extended attributes are visible and accessible only to pro‐
> > cesses that have the CAP_SYS_ADMIN capability. Attributes in this
> > class are used to implement mechanisms in user space (i.e., outside the
> > kernel) which keep information in extended attributes to which ordinary
> > processes should not have access.
> >
> > There is a chance that overlay moves away from trusted xattr in future.
> > But for now we need to make it work. This is an important use case for
> > kata docker in docker build.
> >
> > May be we can add an option to virtiofsd say "--add-cap <capability>" and
> > ask user to pass in "--add-cap cap_sys_admin" if they need to run daemon
> > with this capaibility.
>
> I'll admit I don't like the idea of giving it cap_sys_admin.
> Can you explain:
> a) What overlayfs uses trusted for?
overlayfs stores bunch of metadata and uses "trusted" xattrs for it.
> b) If something nasty was to write junk into the trusted attributes,
> what would happen?
This directory is owned by guest. So it should be able to write
anything it wants, as long as process in guest has CAP_SYS_ADMIN, right?
> c) I see overlayfs has a fallback check if xattr isn't supported at
> all - what is the consequence?
It falls back to I think read only mode.
For a moment forget about overlayfs. Say a user process in guest with
CAP_SYS_ADMIN is writing trusted.foo. Should that succeed? Is a
passthrough filesystem, so it should go through. But currently it
wont.
Thanks
Vivek
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Date: Thu, 18 Jun 2020 15:27:17 -0400 [thread overview]
Message-ID: <20200618192717.GE3814@redhat.com> (raw)
In-Reply-To: <20200618191655.GI2769@work-vm>
On Thu, Jun 18, 2020 at 08:16:55PM +0100, Dr. David Alan Gilbert wrote:
> * Vivek Goyal (vgoyal@redhat.com) wrote:
> > On Thu, Apr 16, 2020 at 05:49:05PM +0100, Stefan Hajnoczi wrote:
> > > virtiofsd doesn't need of all Linux capabilities(7) available to root. Keep a
> > > whitelisted set of capabilities that we require. This improves security in
> > > case virtiofsd is compromised by making it hard for an attacker to gain further
> > > access to the system.
> >
> > Hi Stefan,
> >
> > I just noticed that this patch set breaks overlayfs on top of virtiofs.
> >
> > overlayfs sets "trusted.overlay.*" and xattrs in trusted domain
> > need CAP_SYS_ADMIN.
> >
> > man xattr says.
> >
> > Trusted extended attributes
> > Trusted extended attributes are visible and accessible only to pro‐
> > cesses that have the CAP_SYS_ADMIN capability. Attributes in this
> > class are used to implement mechanisms in user space (i.e., outside the
> > kernel) which keep information in extended attributes to which ordinary
> > processes should not have access.
> >
> > There is a chance that overlay moves away from trusted xattr in future.
> > But for now we need to make it work. This is an important use case for
> > kata docker in docker build.
> >
> > May be we can add an option to virtiofsd say "--add-cap <capability>" and
> > ask user to pass in "--add-cap cap_sys_admin" if they need to run daemon
> > with this capaibility.
>
> I'll admit I don't like the idea of giving it cap_sys_admin.
> Can you explain:
> a) What overlayfs uses trusted for?
overlayfs stores bunch of metadata and uses "trusted" xattrs for it.
> b) If something nasty was to write junk into the trusted attributes,
> what would happen?
This directory is owned by guest. So it should be able to write
anything it wants, as long as process in guest has CAP_SYS_ADMIN, right?
> c) I see overlayfs has a fallback check if xattr isn't supported at
> all - what is the consequence?
It falls back to I think read only mode.
For a moment forget about overlayfs. Say a user process in guest with
CAP_SYS_ADMIN is writing trusted.foo. Should that succeed? Is a
passthrough filesystem, so it should go through. But currently it
wont.
Thanks
Vivek
next prev parent reply other threads:[~2020-06-18 19:27 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-16 16:49 [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-16 16:49 ` [Virtio-fs] [PATCH 1/2] virtiofsd: only retain file system capabilities Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-28 11:48 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-04-28 11:48 ` Dr. David Alan Gilbert
2020-04-16 16:49 ` [Virtio-fs] [PATCH 2/2] virtiofsd: drop all capabilities in the wait parent process Stefan Hajnoczi
2020-04-16 16:49 ` Stefan Hajnoczi
2020-04-16 17:50 ` [Virtio-fs] " Philippe Mathieu-Daudé
2020-04-16 17:50 ` Philippe Mathieu-Daudé
2020-04-16 20:10 ` [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Vivek Goyal
2020-04-16 20:10 ` Vivek Goyal
2020-04-17 9:42 ` [Virtio-fs] " Stefan Hajnoczi
2020-04-17 9:42 ` Stefan Hajnoczi
2020-05-01 18:28 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-05-01 18:28 ` Dr. David Alan Gilbert
2020-06-18 19:08 ` [Virtio-fs] " Vivek Goyal
2020-06-18 19:16 ` Dr. David Alan Gilbert
2020-06-18 19:16 ` Dr. David Alan Gilbert
2020-06-18 19:27 ` Vivek Goyal [this message]
2020-06-18 19:27 ` Vivek Goyal
2020-06-19 4:46 ` Chirantan Ekbote
2020-06-19 4:46 ` Chirantan Ekbote
2020-06-19 8:39 ` Dr. David Alan Gilbert
2020-06-19 9:17 ` Chirantan Ekbote
2020-06-19 11:12 ` Dr. David Alan Gilbert
2020-06-19 19:15 ` Vivek Goyal
2020-06-19 19:15 ` Vivek Goyal
2020-06-25 3:19 ` Chirantan Ekbote
2020-06-25 3:19 ` Chirantan Ekbote
2020-06-25 12:55 ` Vivek Goyal
2020-06-25 12:55 ` Vivek Goyal
2020-07-13 8:54 ` Chirantan Ekbote
2020-07-13 8:54 ` Chirantan Ekbote
2020-07-13 13:39 ` Vivek Goyal
2020-07-13 13:39 ` Vivek Goyal
2020-07-13 21:39 ` Daniel Walsh
2020-07-14 12:33 ` Vivek Goyal
2020-07-14 17:16 ` Daniel Walsh
2020-06-19 8:27 ` Dr. David Alan Gilbert
2020-06-19 8:27 ` Dr. David Alan Gilbert
2020-06-19 11:39 ` Daniel P. Berrangé
2020-06-19 11:39 ` Daniel P. Berrangé
2020-06-19 11:49 ` Dr. David Alan Gilbert
2020-06-19 11:49 ` Dr. David Alan Gilbert
2020-06-19 12:05 ` Daniel P. Berrangé
2020-06-19 12:05 ` Daniel P. Berrangé
2020-06-19 17:41 ` Vivek Goyal
2020-06-19 17:41 ` Vivek Goyal
2020-06-19 19:12 ` Vivek Goyal
2020-06-19 19:12 ` Vivek Goyal
2020-06-26 11:26 ` Dr. David Alan Gilbert
2020-06-26 11:26 ` Dr. David Alan Gilbert
2020-06-19 16:09 ` Vivek Goyal
2020-06-19 16:09 ` Vivek Goyal
2020-06-19 16:16 ` Dr. David Alan Gilbert
2020-06-19 16:16 ` Dr. David Alan Gilbert
2020-06-19 17:11 ` Vivek Goyal
2020-06-19 17:11 ` Vivek Goyal
2020-06-19 17:16 ` Dr. David Alan Gilbert
2020-06-19 17:16 ` Dr. David Alan Gilbert
2020-06-19 14:16 ` Miklos Szeredi
2020-06-19 14:16 ` Miklos Szeredi
2020-06-19 14:25 ` Vivek Goyal
2020-06-19 14:25 ` Vivek Goyal
2020-06-19 15:26 ` Miklos Szeredi
2020-06-19 15:26 ` Miklos Szeredi
2020-06-19 15:57 ` Vivek Goyal
2020-06-19 15:57 ` Vivek Goyal
2020-06-19 14:29 ` Vivek Goyal
2020-06-19 14:29 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618192717.GE3814@redhat.com \
--to=vgoyal@redhat.com \
--cc=dgilbert@redhat.com \
--cc=miklos@szeredi.hu \
--cc=qemu-devel@nongnu.org \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.