From: Stefan Hajnoczi <stefanha@redhat.com>
To: Colin Walters <walters@verbum.org>
Cc: German Maglione <gmaglione@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>,
virtio-fs-list <virtio-fs@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Virtio-fs] virtiofsd: Any reason why there's not an "openat2" sandbox mode?
Date: Tue, 27 Sep 2022 16:14:20 -0400 [thread overview]
Message-ID: <YzNZnPiUqySu6sGh@fedora> (raw)
In-Reply-To: <798fe353-9537-44fe-a76a-819e8c93abb5@www.fastmail.com>
[-- Attachment #1: Type: text/plain, Size: 2006 bytes --]
On Tue, Sep 27, 2022 at 01:51:41PM -0400, Colin Walters wrote:
>
>
> On Tue, Sep 27, 2022, at 1:27 PM, German Maglione wrote:
> >
> >> > Now all the development has moved to rust virtiofsd.
>
> Oh, awesome!! The code there looks great.
>
> > I could work on this for the next major version and see if anything breaks.
> > But I prefer to add this as a compilation feature, instead of a command line
> > option that we will then have to maintain for a while.
>
> Hmm, what would be the issue with having the code there by default? I think rather than any new command line option, we automatically use `openat2+RESOLVE_IN_ROOT` if the process is run as a nonzero uid.
>
> > Also, I don't see it as a sandbox feature, as Stefan mentioned, a compromised
> > process can call openat2() without RESOLVE_IN_ROOT.
>
> I'm a bit skeptical honestly about how secure the existing namespace code is against a compromised virtiofsd process. The primary worry is guest filesystem traversals, right? openat2+RESOLVE_IN_ROOT addresses that. Plus being in Rust makes this dramatically safer.
>
> > I did some test with
> > Landlock to lock virtiofsd inside the shared directory, but IIRC it requires a
> > kernel 5.13
>
> But yes, landlock and other things make sense, I just don't see these things as strongly linked. IOW we shouldn't in my opinion block unprivileged virtiofsd on more sandboxing than openat2 already gives us.
I think openat2(RESOLVE_IN_ROOT) support should be added unless there is
another unprivileged mechanism that is stronger.
The security implications need to be covered in the user documentation
so people can decide whether using this mode is appropriate.
We should continue to explain the difference between a voluntary
mechanism like openat2(RESOLVE_IN_ROOT) and a mandatory mechanism like
mount namespaces with pivot_root(2). Rust programs are not immune to
arbitrary code execution, but it's less likely than with a C program.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2022-09-27 20:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-09 21:24 virtiofsd: Any reason why there's not an "openat2" sandbox mode? Colin Walters
2022-09-27 16:37 ` Vivek Goyal
2022-09-27 16:57 ` Vivek Goyal
2022-09-27 17:27 ` German Maglione
2022-09-27 17:51 ` Colin Walters
2022-09-27 20:14 ` Stefan Hajnoczi [this message]
2022-09-28 8:33 ` [Virtio-fs] " Sergio Lopez
2022-09-28 19:28 ` Vivek Goyal
2022-09-29 14:04 ` Colin Walters
2022-09-29 14:10 ` Vivek Goyal
2022-09-29 15:47 ` Colin Walters
2022-09-29 17:03 ` Vivek Goyal
2022-09-30 8:13 ` German Maglione
2022-10-03 22:51 ` Colin Walters
2022-10-05 21:29 ` Vivek Goyal
2022-09-28 19:26 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzNZnPiUqySu6sGh@fedora \
--to=stefanha@redhat.com \
--cc=gmaglione@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).