From: Stefan Hajnoczi <stefanha@gmail.com>
To: Colin Walters <walters@verbum.org>
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH] virtiofsd: Use clone() and not unshare(), support non-root
Date: Wed, 17 Jun 2020 13:50:14 +0100 [thread overview]
Message-ID: <20200617125014.GC1728005@stefanha-x1.localdomain> (raw)
In-Reply-To: <7b355ffb-2b96-4984-a198-ac40a07c422e@www.fastmail.com>
[-- Attachment #1: Type: text/plain, Size: 1898 bytes --]
On Tue, Jun 02, 2020 at 09:53:18PM -0400, Colin Walters wrote:
> On Tue, Jun 2, 2020, at 5:55 AM, Stefan Hajnoczi wrote:
> > Ping Colin. It would be great if you have time to share your thoughts on
> > this discussion and explain how you are using this patch.
>
> Yeah sorry about not replying in this thread earlier, this was just a quick Friday side project for me and the thread obviously exploded =)
>
> Thinking about this more, probably what would be good enough for now is an option to just disable internal containerization/sandboxing. In fact per the discussion our production pipeline runs inside OpenShift 4 and because Kubernetes doesn't support user namespaces yet it also doesn't support recursive containerization, so we need an option to turn off the internal containerization.
>
> Our use case is somewhat specialized - for what we're doing we generally trust the guest. We use VMs for operating system testing and development of content we trust, as opposed to e.g. something like kata.
>
> It's fine for us to run virtiofs as the same user/security context as qemu.
>
> So...something like this? (Only compile tested)
...
> @@ -2775,6 +2775,8 @@ static void setup_capabilities(void)
> static void setup_sandbox(struct lo_data *lo, struct fuse_session *se,
> bool enable_syslog)
> {
> + if (se->no_namespaces)
> + return;
> setup_namespaces(lo, se);
> setup_mounts(lo->source);
> setup_seccomp(enable_syslog);
Something along these lines should work. Hopefully seccomp can be
retained. It would also be necessary to check how not having the shared
directory as / in the mount namespace affects functionality. For one,
I'm pretty sure symlink escapes and similar path traversals outside the
shared directory will be possible since virtiofsd normally relies on /
as protection.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2020-06-17 12:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 18:25 [PATCH] virtiofsd: Use clone() and not unshare(), support non-root Colin Walters
2020-05-04 9:51 ` Daniel P. Berrangé
2020-05-04 13:49 ` Stefan Hajnoczi
2020-05-04 14:07 ` Marc-André Lureau
2020-05-04 14:20 ` Colin Walters
2020-05-04 15:43 ` Marc-André Lureau
2020-05-05 15:23 ` Stefan Hajnoczi
2020-05-05 15:32 ` Daniel P. Berrangé
2020-05-06 19:16 ` Dr. David Alan Gilbert
2020-05-07 9:28 ` Daniel P. Berrangé
2020-05-21 10:19 ` Stefan Hajnoczi
2020-05-21 10:43 ` Daniel P. Berrangé
2020-05-27 11:16 ` Stefan Hajnoczi
2020-06-02 9:55 ` Stefan Hajnoczi
2020-06-03 1:53 ` Colin Walters
2020-06-17 12:50 ` Stefan Hajnoczi [this message]
2020-06-17 12:55 ` Colin Walters
2020-06-23 12:34 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200617125014.GC1728005@stefanha-x1.localdomain \
--to=stefanha@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).