[PATCH 16/25] virtiofsd: sandbox mount namespace

["Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>]

From: Stefan Hajnoczi <stefanha@redhat.com>

Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.

This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com>
---
 contrib/virtiofsd/passthrough_ll.c | 89 ++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/contrib/virtiofsd/passthrough_ll.c b/contrib/virtiofsd/passthrough_ll.c
index 3ddf22d162..20a34d4d83 100644
--- a/contrib/virtiofsd/passthrough_ll.c
+++ b/contrib/virtiofsd/passthrough_ll.c
@@ -51,6 +51,7 @@
 #include <sys/file.h>
 #include <sys/syscall.h>
 #include <sys/xattr.h>
+#include <sys/mount.h>
 
 #include "passthrough_helpers.h"
 
@@ -1821,6 +1822,58 @@ static void print_capabilities(void)
 	printf("}\n");
 }
 
+/* This magic is based on lxc's lxc_pivot_root() */
+static void setup_pivot_root(const char *source)
+{
+	int oldroot;
+	int newroot;
+
+	oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+	if (oldroot < 0) {
+		fuse_log(FUSE_LOG_ERR, "open(/): %m\n");
+		exit(1);
+	}
+
+	newroot = open(source, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+	if (newroot < 0) {
+		fuse_log(FUSE_LOG_ERR, "open(%s): %m\n", source);
+		exit(1);
+	}
+
+	if (fchdir(newroot) < 0) {
+		fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+		exit(1);
+	}
+
+	if (syscall(__NR_pivot_root, ".", ".") < 0){
+		fuse_log(FUSE_LOG_ERR, "pivot_root(., .): %m\n");
+		exit(1);
+	}
+
+	if (fchdir(oldroot) < 0) {
+		fuse_log(FUSE_LOG_ERR, "fchdir(oldroot): %m\n");
+		exit(1);
+	}
+
+	if (mount("", ".", "", MS_SLAVE | MS_REC, NULL) < 0) {
+		fuse_log(FUSE_LOG_ERR, "mount(., MS_SLAVE | MS_REC): %m\n");
+		exit(1);
+	}
+
+	if (umount2(".", MNT_DETACH) < 0) {
+		fuse_log(FUSE_LOG_ERR, "umount2(., MNT_DETACH): %m\n");
+		exit(1);
+	}
+
+	if (fchdir(newroot) < 0) {
+		fuse_log(FUSE_LOG_ERR, "fchdir(newroot): %m\n");
+		exit(1);
+	}
+
+	close(newroot);
+	close(oldroot);
+}
+
 static void setup_proc_self_fd(struct lo_data *lo)
 {
 	lo->proc_self_fd = open("/proc/self/fd", O_PATH);
@@ -1830,6 +1883,39 @@ static void setup_proc_self_fd(struct lo_data *lo)
 	}
 }
 
+/*
+ * Make the source directory our root so symlinks cannot escape and no other
+ * files are accessible.
+ */
+static void setup_mount_namespace(const char *source)
+{
+	if (unshare(CLONE_NEWNS) != 0) {
+		fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNS): %m\n");
+		exit(1);
+	}
+
+	if (mount(NULL, "/", NULL, MS_REC|MS_SLAVE, NULL) < 0) {
+		fuse_log(FUSE_LOG_ERR, "mount(/, MS_REC|MS_PRIVATE): %m\n");
+		exit(1);
+	}
+
+	if (mount(source, source, NULL, MS_BIND, NULL) < 0) {
+		fuse_log(FUSE_LOG_ERR, "mount(%s, %s, MS_BIND): %m\n", source, source);
+		exit(1);
+	}
+
+	setup_pivot_root(source);
+}
+
+/*
+ * Lock down this process to prevent access to other processes or files outside
+ * source directory.  This reduces the impact of arbitrary code execution bugs.
+ */
+static void setup_sandbox(struct lo_data *lo)
+{
+	setup_mount_namespace(lo->source);
+}
+
 int main(int argc, char *argv[])
 {
 	struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
@@ -1927,6 +2013,7 @@ int main(int argc, char *argv[])
 	}
 
 	lo.root.fd = open(lo.source, O_PATH);
+
 	if (lo.root.fd == -1) {
 		fuse_log(FUSE_LOG_ERR, "open(\"%s\", O_PATH): %m\n",
 			 lo.source);
@@ -1948,6 +2035,8 @@ int main(int argc, char *argv[])
 	/* Must be after daemonize to get the right /proc/self/fd */
 	setup_proc_self_fd(&lo);
 
+	setup_sandbox(&lo);
+
 	/* Block until ctrl+c or fusermount -u */
 	ret = virtio_loop(se);
 
-- 
2.23.0