On Jul 24, 2023, at 7:47 AM, Richard W.M. Jones <rjo...@redhat.com> wrote: On Mon, Jul 24, 2023 at 10:08:50AM -0400, Demi Marie Obenour wrote: I saw that libguestfs has a guestmount(1) tool, and I think this could be a potential solution. An exploit against the kernel FS driver would only grant access to a KVM guest, and the QEMU process can be tightly sandboxed by means such as seccomp and SELinux.
Right. guestmount does however use an unholy combination of FUSE and proxying requests through the KVM guest so this wouldn't be very fast :-/ OTOH it may be fine for the overwhelming majority of use cases, and the tradeoff of better hardened systems could also be worth it. I’ve seen more than one implementation of “Run a Linux container on macOS” that ends up using ssh for the console and sshfs as the way to get data back and forth… and people seem to be fine with it.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
