From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, renzhen@linux.alibaba.com,
eguan@linux.alibaba.com, ganesh.mahalingam@intel.com,
m.mizuma@jp.fujitsu.com, mszeredi@redhat.com,
misono.tomohiro@jp.fujitsu.com, tao.peng@linux.alibaba.com,
piaojun@huawei.com, stefanha@redhat.com, vgoyal@redhat.com,
mst@redhat.com, berrange@redhat.com
Subject: [PATCH 00/25] virtiofs daemon (security)
Date: Thu, 24 Oct 2019 12:26:53 +0100 [thread overview]
Message-ID: <20191024112718.34657-1-dgilbert@redhat.com> (raw)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Hi,
This is the 2nd set for the virtiofsd - this set sits
on top of the 'base' set recently posted. Most of the changes
in the set are security related (with a couple more tagging
along because they were hard to separate).
Stefan's main chunks make the daemon check the input from
the guest; the upstream fuse code is much more trusting
about what it gets from the kernel; here the security
equation is inverted and the daemon is more trusted.
In adition the daemon now gets sandboxing/namespacing/seccomp
limited to stop anything escaping.
With this set virtiofsd is reasonably safe to use; we've
got some bug fixes (including some threading fixes) to send
as well though.
Dave
Dr. David Alan Gilbert (2):
virtiofsd: Plumb fuse_bufvec through to do_write_buf
virtiofsd: Pass write iov's all the way through
Eryu Guan (1):
virtiofsd: print log only when priority is high enough
Miklos Szeredi (1):
virtiofsd: passthrough_ll: add fallback for racy ops
Stefan Hajnoczi (18):
virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers
virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers
virtiofsd: passthrough_ll: add fd_map to hide file descriptors
virtiofsd: validate path components
virtiofsd: add fuse_mbuf_iter API
virtiofsd: validate input buffer sizes in do_write_buf()
virtiofsd: check input buffer size in fuse_lowlevel.c ops
virtiofsd: prevent ".." escape in lo_do_lookup()
virtiofsd: prevent ".." escape in lo_do_readdir()
virtiofsd: use /proc/self/fd/ O_PATH file descriptor
virtiofsd: sandbox mount namespace
virtiofsd: move to an empty network namespace
virtiofsd: move to a new pid namespace
virtiofsd: add seccomp whitelist
virtiofsd: set maximum RLIMIT_NOFILE limit
virtiofsd: add security guide document
virtiofsd: add --syslog command-line option
Vivek Goyal (3):
virtiofsd: passthrough_ll: create new files in caller's context
virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV
virtiofsd: Drop CAP_FSETID if client asked for it
contrib/virtiofsd/Makefile.objs | 7 +-
contrib/virtiofsd/buffer.c | 28 +
contrib/virtiofsd/fuse_common.h | 53 +-
contrib/virtiofsd/fuse_i.h | 2 +-
contrib/virtiofsd/fuse_log.c | 4 +
contrib/virtiofsd/fuse_lowlevel.c | 779 +++++++++++-----
contrib/virtiofsd/fuse_lowlevel.h | 2 +
contrib/virtiofsd/fuse_virtio.c | 72 +-
contrib/virtiofsd/helper.c | 11 +-
contrib/virtiofsd/passthrough_ll.c | 1317 ++++++++++++++++++++++++----
contrib/virtiofsd/seccomp.c | 146 +++
contrib/virtiofsd/seccomp.h | 16 +
contrib/virtiofsd/security.rst | 108 +++
13 files changed, 2152 insertions(+), 393 deletions(-)
create mode 100644 contrib/virtiofsd/seccomp.c
create mode 100644 contrib/virtiofsd/seccomp.h
create mode 100644 contrib/virtiofsd/security.rst
--
2.23.0
next reply other threads:[~2019-10-24 13:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 11:26 Dr. David Alan Gilbert (git) [this message]
2019-10-24 11:26 ` [PATCH 01/25] virtiofsd: passthrough_ll: create new files in caller's context Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 02/25] virtiofsd: passthrough_ll: add lo_map for ino/fh indirection Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 03/25] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 05/25] virtiofsd: passthrough_ll: add fd_map to hide file descriptors Dr. David Alan Gilbert (git)
2019-10-24 11:26 ` [PATCH 06/25] virtiofsd: passthrough_ll: add fallback for racy ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 07/25] virtiofsd: validate path components Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 08/25] virtiofsd: Plumb fuse_bufvec through to do_write_buf Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 09/25] virtiofsd: Pass write iov's all the way through Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 10/25] virtiofsd: add fuse_mbuf_iter API Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 11/25] virtiofsd: validate input buffer sizes in do_write_buf() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir() Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 16/25] virtiofsd: sandbox mount namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 17/25] virtiofsd: move to an empty network namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 18/25] virtiofsd: move to a new pid namespace Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 19/25] virtiofsd: add seccomp whitelist Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 23/25] virtiofsd: add security guide document Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 24/25] virtiofsd: add --syslog command-line option Dr. David Alan Gilbert (git)
2019-10-24 11:27 ` [PATCH 25/25] virtiofsd: print log only when priority is high enough Dr. David Alan Gilbert (git)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024112718.34657-1-dgilbert@redhat.com \
--to=dgilbert@redhat.com \
--cc=berrange@redhat.com \
--cc=eguan@linux.alibaba.com \
--cc=ganesh.mahalingam@intel.com \
--cc=m.mizuma@jp.fujitsu.com \
--cc=misono.tomohiro@jp.fujitsu.com \
--cc=mst@redhat.com \
--cc=mszeredi@redhat.com \
--cc=piaojun@huawei.com \
--cc=qemu-devel@nongnu.org \
--cc=renzhen@linux.alibaba.com \
--cc=stefanha@redhat.com \
--cc=tao.peng@linux.alibaba.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).