On 05/24/2017 10:54 AM, Greg Kurz wrote:
> On Wed, 24 May 2017 00:59:29 +0200
> Leo Gaspard <l...@gaspard.io> wrote:
>
>> On 05/23/2017 04:32 PM, Greg Kurz wrote:
>>> v2: - posted patch for CVE-2017-7493 separately
>>> - other changes available in each patch changelog
>>>
>>> Leo,
>>>
>>> If you find time to test this series, I'll gladly add your Tested-by: to
>>> it before merging.
>>
>> Just tested with a base of 2.9.0 with patches [1] [2] (from my
>> distribution), [3] (required to apply cleanly) and this patchset.
>>
>> Things appear to work as expected, and .virtfs_metadata{,_root} appear
>> to be neither readable nor writable by any user.
>>
>
> Shall I add your Tested-by: to the patch then ?Hmm, I can't find the definition of Tested-by: on [1], but if it means "tested it by hand without maybe trying all possible edge cases" then I guess you can add it :) >> That said, one thing still bothering me with the fix in [3] is that it >> still "leaks" the host's uid/gid to the guest when a corresponding file >> in .virtfs_metadata is not present (while I'd have expected it to appear >> as root:root in the guest), but that's a separate issue, and I guess >> retro-compatibility prevents any fixing it. >> > > Heh, I had a tentative patch to create root:root credentials and 0700 mode > bits by default... but this could indeed break some setups, so I decided > not to post it. Hmm, maybe adding an option to the security_model=mapped-* that allows to run default to root:root 0700 would allow to keep retrocompat, and in a few versions swap the default value of the parameter? As the 'dscript=no' of -netdev type=tap appears to have disappeared -- and broke my scripts -- in the switch to 1.9.0, I guess such a change would be allowed by the retrocompatibility policy of qemu? Anyway, it's fun to see you had thought of that too! Cheers, Leo [1] http://wiki.qemu.org/Contribute/SubmitAPatch
signature.asc
Description: OpenPGP digital signature
