From: Laszlo Ersek <lersek@redhat.com>
To: Alex Xu <alex@alxu.ca>, qemu-devel@nongnu.org
Cc: mszeredi@redhat.com, slp@redhat.com,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
P J P <ppandit@redhat.com>,
virtio-fs@redhat.com, Stefan Hajnoczi <stefanha@redhat.com>,
vgoyal@redhat.com
Subject: Re: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
Date: Thu, 21 Jan 2021 18:07:26 +0100 [thread overview]
Message-ID: <8d4f7c40-95c7-feed-1744-73ca2349c1f2@redhat.com> (raw)
In-Reply-To: <1611243688.4854bsewsj.none@localhost>
On 01/21/21 16:52, Alex Xu wrote:
> Excerpts from Laszlo Ersek's message of January 21, 2021 10:32 am:
>> Assuming a benign / trusted guest, is there going to be an override for
>> this?
>>
>> Asked differently -- if we don't want to set up a separate block device
>> on the host, to contain the filesystem that is mounted as the shared
>> directory, can unionfs (?) / overlayfs be used to re-mount an existent
>> host-side directory as the shared directory, but with
>> "noexec,nosuid,nodev" *bolted-on*?
>>
>> If people have to create separate block devices (on the host side) for
>> innocent use cases such as running tests in a trusted guest, that's not
>> going to qualify as "usability progress" relative to having a qcow2 (or
>> raw) image file.
>>
>> "nodev,nosuid" is kind of a no-brainer for any host-side *data* volume
>> anyway (such as the one underlying "/home", even), so I don't see those
>> options as a challenge. But "noexec" is different.
>>
>> Thanks,
>> Laszlo
>
> On Linux, there are two types of mount options: per-superblock, and
> per-point. Most filesystem-specific options are per-superblock, and
> apply to all mounts of that device. noexec, nosuid, and nodev are
> per-mount options, and apply individually to each mount, bind or
> otherwise, of a given device. Bind mounts copy the parent per-mount
> options, but can be individually altered. Note also that it is not
> required to create a new location for a bind mount.
>
> For example, invoking:
>
> mount --bind -o noexec,nosuid,nodev /var/lib/vms/source1 /var/lib/vms/source1
>
> would effectively secure a source directory. This can also be inserted
> in /etc/fstab, such as:
>
> /var/lib/vms/source1 /var/lib/vms/source1 none bind,noexec,nosuid,nodev 0 0
>
> Note that, as explained in Stefan's initial email, this hides any
> submounts below source. Each of those must be individually protected,
> either by initially mounting with the security options or by creating a
> new bind mount as above. Although these cases should be infrequent, they
> are common enough that Stefan and I think that they should be supported,
> or at the very least not silently behave in unexpected or insecure ways.
>
> Additionally, while it's possible to use overlayfs for this purpose,
> it's overkill, and as far as I understand, doesn't solve the problem of
> hiding sub-mounts.
Awesome, this is the best answer I could possibly get. Thank you!
Laszlo
next prev parent reply other threads:[~2021-01-21 17:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-21 14:44 [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) Stefan Hajnoczi
2021-01-21 14:48 ` Daniel P. Berrangé
2021-01-22 15:49 ` Vivek Goyal
2021-01-25 14:53 ` Stefan Hajnoczi
2021-01-21 14:50 ` alex--- via
2021-01-21 15:32 ` Laszlo Ersek
2021-01-21 15:52 ` alex--- via
2021-01-21 17:07 ` Laszlo Ersek [this message]
2021-01-21 19:00 ` Dr. David Alan Gilbert
2021-01-22 15:40 ` Vivek Goyal
2021-01-26 10:10 ` Stefan Hajnoczi
2021-01-25 16:12 ` Miklos Szeredi
2021-01-26 10:18 ` Stefan Hajnoczi
2021-01-26 10:27 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8d4f7c40-95c7-feed-1744-73ca2349c1f2@redhat.com \
--to=lersek@redhat.com \
--cc=alex@alxu.ca \
--cc=dgilbert@redhat.com \
--cc=mszeredi@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=slp@redhat.com \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).