From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: berrange@redhat.com, vromanso@redhat.com, qemu-devel@nongnu.org,
virtio-fs@redhat.com
Subject: Re: [Virtio-fs] [PATCH v2 1/5] virtiofsd: Add notion of unprivileged mode
Date: Fri, 7 Aug 2020 17:33:00 +0100 [thread overview]
Message-ID: <20200807163300.GH2780@work-vm> (raw)
In-Reply-To: <20200730194736.173994-2-vgoyal@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> At startup if we are running as non-root user, then internally set
> unpriviliged mode set. Also add a notion of sandbox NONE and set
> that internally in unprivileged mode. setting up namespaces and
> chroot() fails in unpriviliged mode.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
> tools/virtiofsd/passthrough_ll.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index e2fbc614fd..cd91c4a831 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -147,11 +147,13 @@ enum {
> enum {
> SANDBOX_NAMESPACE,
> SANDBOX_CHROOT,
> + SANDBOX_NONE,
> };
>
> struct lo_data {
> pthread_mutex_t mutex;
> int sandbox;
> + bool unprivileged;
> int debug;
> int writeback;
> int flock;
> @@ -3288,6 +3290,12 @@ int main(int argc, char *argv[])
> lo_map_init(&lo.dirp_map);
> lo_map_init(&lo.fd_map);
>
> + if (geteuid() != 0) {
> + lo.unprivileged = true;
> + lo.sandbox = SANDBOX_NONE;
> + fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n");
> + }
I don't like this being automatic; to switch to a less secure mode, the
user should have to explicitly ask for it; we don't want people
accidentally ending up with less security.
Also, I'm not sure that checking for geteuid() != 0 is the right test -
wouldn't the current virtiofsd run with a non-root user as long
as it had the correct capabilities?
I was doing to suggest we match cloud-hypervisor where we added
--disable-sandbox; but with this we now have a trinary switch;
so sandbox=none is probably the right way.
Dave
> if (fuse_parse_cmdline(&args, &opts) != 0) {
> goto err_out1;
> }
> --
> 2.25.4
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: berrange@redhat.com, vromanso@redhat.com, dwalsh@redhat.com,
qemu-devel@nongnu.org, virtio-fs@redhat.com, stefanha@redhat.com
Subject: Re: [PATCH v2 1/5] virtiofsd: Add notion of unprivileged mode
Date: Fri, 7 Aug 2020 17:33:00 +0100 [thread overview]
Message-ID: <20200807163300.GH2780@work-vm> (raw)
In-Reply-To: <20200730194736.173994-2-vgoyal@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> At startup if we are running as non-root user, then internally set
> unpriviliged mode set. Also add a notion of sandbox NONE and set
> that internally in unprivileged mode. setting up namespaces and
> chroot() fails in unpriviliged mode.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> ---
> tools/virtiofsd/passthrough_ll.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index e2fbc614fd..cd91c4a831 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -147,11 +147,13 @@ enum {
> enum {
> SANDBOX_NAMESPACE,
> SANDBOX_CHROOT,
> + SANDBOX_NONE,
> };
>
> struct lo_data {
> pthread_mutex_t mutex;
> int sandbox;
> + bool unprivileged;
> int debug;
> int writeback;
> int flock;
> @@ -3288,6 +3290,12 @@ int main(int argc, char *argv[])
> lo_map_init(&lo.dirp_map);
> lo_map_init(&lo.fd_map);
>
> + if (geteuid() != 0) {
> + lo.unprivileged = true;
> + lo.sandbox = SANDBOX_NONE;
> + fuse_log(FUSE_LOG_DEBUG, "Running in unprivileged passthrough mode.\n");
> + }
I don't like this being automatic; to switch to a less secure mode, the
user should have to explicitly ask for it; we don't want people
accidentally ending up with less security.
Also, I'm not sure that checking for geteuid() != 0 is the right test -
wouldn't the current virtiofsd run with a non-root user as long
as it had the correct capabilities?
I was doing to suggest we match cloud-hypervisor where we added
--disable-sandbox; but with this we now have a trinary switch;
so sandbox=none is probably the right way.
Dave
> if (fuse_parse_cmdline(&args, &opts) != 0) {
> goto err_out1;
> }
> --
> 2.25.4
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2020-08-07 16:33 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 19:47 [Virtio-fs] [PATCH v2 0/5] virtiofsd: Add a unprivileged passthrough mode Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-07-30 19:47 ` [Virtio-fs] [PATCH v2 1/5] virtiofsd: Add notion of unprivileged mode Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-08-07 16:33 ` Dr. David Alan Gilbert [this message]
2020-08-07 16:33 ` Dr. David Alan Gilbert
2020-07-30 19:47 ` [Virtio-fs] [PATCH v2 2/5] virtiofsd: create lock/pid file in per user cache dir Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-08-07 17:34 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-08-07 17:34 ` Dr. David Alan Gilbert
2020-07-30 19:47 ` [Virtio-fs] [PATCH v2 3/5] virtiofsd: open /proc/self/fd/ in sandbox=NONE mode Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-08-07 17:42 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-08-07 17:42 ` Dr. David Alan Gilbert
2020-07-30 19:47 ` [Virtio-fs] [PATCH v2 4/5] virtiofsd: Open lo->source while setting up root " Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-08-03 9:54 ` [Virtio-fs] " Stefan Hajnoczi
2020-08-03 9:54 ` Stefan Hajnoczi
2020-08-03 13:57 ` [Virtio-fs] " Vivek Goyal
2020-08-03 13:57 ` Vivek Goyal
2020-08-04 10:36 ` [Virtio-fs] " Stefan Hajnoczi
2020-08-04 10:36 ` Stefan Hajnoczi
2020-07-30 19:47 ` [Virtio-fs] [PATCH v2 5/5] virtiofsd: Skip setup_capabilities() " Vivek Goyal
2020-07-30 19:47 ` Vivek Goyal
2020-08-07 17:58 ` [Virtio-fs] " Dr. David Alan Gilbert
2020-08-07 17:58 ` Dr. David Alan Gilbert
2020-08-03 9:45 ` [Virtio-fs] [PATCH v2 0/5] virtiofsd: Add a unprivileged passthrough mode Stefan Hajnoczi
2020-08-03 9:45 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200807163300.GH2780@work-vm \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
--cc=vromanso@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.