From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Virtio-fs] [PATCH 0/2] virtiofsd: drop Linux capabilities(7)
Date: Fri, 19 Jun 2020 18:16:31 +0100 [thread overview]
Message-ID: <20200619171631.GK2690@work-vm> (raw)
In-Reply-To: <20200619171121.GE3154@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> On Fri, Jun 19, 2020 at 05:16:48PM +0100, Dr. David Alan Gilbert wrote:
>
> [..]
> > > > > > b) If something nasty was to write junk into the trusted attributes,
> > > > > > what would happen?
> > > > >
> > > > > This directory is owned by guest. So it should be able to write
> > > > > anything it wants, as long as process in guest has CAP_SYS_ADMIN, right?
> > > >
> > > > Well, we shouldn't be able to break/crash/escape into the host; how
> > > > much does overlayfs validate trusted.* it uses?
> > >
> > > I thought qemu and kvm are the one who should ensure we should not be
> > > able to break out of sandbox. Kernel implementation could be as
> > > buggy as it wanted to be. We are working with this security model
> > > that kernel is completely untrusted.
> >
> > But with virtiofs we allow the guest to do a lot of filesystem
> > operations on the host. It's the virtiofsd that has to ensure that
> > these are safe and contained within the fs it's exposed; the qemu/kvm
> > can't protect us from that.
>
> Fair enough. I should have added virtiofsd to list. Its an attack
> vector and is of concern.
>
> >
> > That's why we sandbox the virtiofsd like we do - if we allow a
> > priviliged guest to perform calls to an unconstrained virtiofsd it would
> > be able to escape. That's what I want to check.
>
> Sure. So does giving CAP_SYS_ADMIN to virtiofsd allow daemon to escape
> the jail.
So that's *my* question - what bad things can someone do by setting
attributes (trusted/system/security) - it's fine if they break they
screwup the security inside the container, because they'd need to be
CAP_SYS_ADMIN inside the container to do it - as long as they can't
break the host. So what happens if someone starts doing bad things to
trusted.* attributes on an overlayfs - no other fs uses them as far as I
know.
> If it does we need to implement what crossvm folks did,
> remapping of trusted xattr. That will also allow us to run inside
> user namespace and still be able to support trusted xattr emulation
> for guest.
I think we need to do that anyway, it's just going to take a while to
figure out.
Dave
>
> Vivek
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2020-06-19 17:20 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-16 16:49 [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Stefan Hajnoczi
2020-04-16 16:49 ` [PATCH 1/2] virtiofsd: only retain file system capabilities Stefan Hajnoczi
2020-04-28 11:48 ` Dr. David Alan Gilbert
2020-04-16 16:49 ` [PATCH 2/2] virtiofsd: drop all capabilities in the wait parent process Stefan Hajnoczi
2020-04-16 17:50 ` Philippe Mathieu-Daudé
2020-04-16 20:10 ` [PATCH 0/2] virtiofsd: drop Linux capabilities(7) Vivek Goyal
2020-04-17 9:42 ` Stefan Hajnoczi
2020-05-01 18:28 ` Dr. David Alan Gilbert
2020-06-18 19:08 ` [Virtio-fs] " Vivek Goyal
2020-06-18 19:16 ` Dr. David Alan Gilbert
2020-06-18 19:27 ` Vivek Goyal
2020-06-19 4:46 ` Chirantan Ekbote
2020-06-19 8:39 ` Dr. David Alan Gilbert
2020-06-19 9:17 ` Chirantan Ekbote
2020-06-19 11:12 ` Dr. David Alan Gilbert
2020-06-19 19:15 ` Vivek Goyal
2020-06-25 3:19 ` Chirantan Ekbote
2020-06-25 12:55 ` Vivek Goyal
2020-07-13 8:54 ` Chirantan Ekbote
2020-07-13 13:39 ` Vivek Goyal
2020-06-19 8:27 ` Dr. David Alan Gilbert
2020-06-19 11:39 ` Daniel P. Berrangé
2020-06-19 11:49 ` Dr. David Alan Gilbert
2020-06-19 12:05 ` Daniel P. Berrangé
2020-06-19 17:41 ` Vivek Goyal
2020-06-19 19:12 ` Vivek Goyal
2020-06-26 11:26 ` Dr. David Alan Gilbert
2020-06-19 16:09 ` Vivek Goyal
2020-06-19 16:16 ` Dr. David Alan Gilbert
2020-06-19 17:11 ` Vivek Goyal
2020-06-19 17:16 ` Dr. David Alan Gilbert [this message]
2020-06-19 14:16 ` Miklos Szeredi
2020-06-19 14:25 ` Vivek Goyal
2020-06-19 15:26 ` Miklos Szeredi
2020-06-19 15:57 ` Vivek Goyal
2020-06-19 14:29 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619171631.GK2690@work-vm \
--to=dgilbert@redhat.com \
--cc=miklos@szeredi.hu \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).