From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: virtio-fs@redhat.com,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [PATCH 0/2] virtiofsd: add net and pid namespace sandboxing
Date: Wed, 16 Oct 2019 17:01:55 +0100 [thread overview]
Message-ID: <20191016160157.12414-1-stefanha@redhat.com> (raw)
These patches are based on gitlab.com/virtio-fs/qemu.git virtio-fs-dev.
virtiofsd is sandboxed so that it does not have access to the system in the
event that the process is compromised. At the moment we use seccomp and mount
namespaces to restrict the list of allowed syscalls and only give access to the
shared directory.
This patch series enhances sandboxing by putting virtiofsd into an empty
network and pid namespace. If the process is compromised it will be unable to
perform network activity, even to localhost services running on the host. It
will also be unable to see other processes running on the system since it runs
as pid 1 in a new pid namespace.
These enhancements are inspired by the Crosvm virtio-fs device's jail
configuration.
Stefan Hajnoczi (2):
virtiofsd: move to an empty network namespace
virtiofsd: move to a new pid namespace
contrib/virtiofsd/passthrough_ll.c | 109 +++++++++++++++++++++++------
1 file changed, 86 insertions(+), 23 deletions(-)
--
2.21.0
next reply other threads:[~2019-10-16 16:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-16 16:01 Stefan Hajnoczi [this message]
2019-10-16 16:01 ` [PATCH 1/2] virtiofsd: move to an empty network namespace Stefan Hajnoczi
2019-10-23 9:34 ` Dr. David Alan Gilbert
2019-10-16 16:01 ` [PATCH 2/2] virtiofsd: move to a new pid namespace Stefan Hajnoczi
2019-10-17 14:45 ` [Virtio-fs] " Vivek Goyal
2019-10-17 16:11 ` Stefan Hajnoczi
2019-10-23 9:46 ` Dr. David Alan Gilbert
2019-10-24 10:26 ` Daniel P. Berrangé
2019-10-25 12:53 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191016160157.12414-1-stefanha@redhat.com \
--to=stefanha@redhat.com \
--cc=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).