From: "Dr. David Alan Gilbert" <dgilb...@redhat.com> Hi, This is the 2nd set for the virtiofsd - this set sits on top of the 'base' set recently posted. Most of the changes in the set are security related (with a couple more tagging along because they were hard to separate).
Stefan's main chunks make the daemon check the input from the guest; the upstream fuse code is much more trusting about what it gets from the kernel; here the security equation is inverted and the daemon is more trusted. In adition the daemon now gets sandboxing/namespacing/seccomp limited to stop anything escaping. With this set virtiofsd is reasonably safe to use; we've got some bug fixes (including some threading fixes) to send as well though. Dave Dr. David Alan Gilbert (2): virtiofsd: Plumb fuse_bufvec through to do_write_buf virtiofsd: Pass write iov's all the way through Eryu Guan (1): virtiofsd: print log only when priority is high enough Miklos Szeredi (1): virtiofsd: passthrough_ll: add fallback for racy ops Stefan Hajnoczi (18): virtiofsd: passthrough_ll: add lo_map for ino/fh indirection virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers virtiofsd: passthrough_ll: add fd_map to hide file descriptors virtiofsd: validate path components virtiofsd: add fuse_mbuf_iter API virtiofsd: validate input buffer sizes in do_write_buf() virtiofsd: check input buffer size in fuse_lowlevel.c ops virtiofsd: prevent ".." escape in lo_do_lookup() virtiofsd: prevent ".." escape in lo_do_readdir() virtiofsd: use /proc/self/fd/ O_PATH file descriptor virtiofsd: sandbox mount namespace virtiofsd: move to an empty network namespace virtiofsd: move to a new pid namespace virtiofsd: add seccomp whitelist virtiofsd: set maximum RLIMIT_NOFILE limit virtiofsd: add security guide document virtiofsd: add --syslog command-line option Vivek Goyal (3): virtiofsd: passthrough_ll: create new files in caller's context virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV virtiofsd: Drop CAP_FSETID if client asked for it contrib/virtiofsd/Makefile.objs | 7 +- contrib/virtiofsd/buffer.c | 28 + contrib/virtiofsd/fuse_common.h | 53 +- contrib/virtiofsd/fuse_i.h | 2 +- contrib/virtiofsd/fuse_log.c | 4 + contrib/virtiofsd/fuse_lowlevel.c | 779 +++++++++++----- contrib/virtiofsd/fuse_lowlevel.h | 2 + contrib/virtiofsd/fuse_virtio.c | 72 +- contrib/virtiofsd/helper.c | 11 +- contrib/virtiofsd/passthrough_ll.c | 1317 ++++++++++++++++++++++++---- contrib/virtiofsd/seccomp.c | 146 +++ contrib/virtiofsd/seccomp.h | 16 + contrib/virtiofsd/security.rst | 108 +++ 13 files changed, 2152 insertions(+), 393 deletions(-) create mode 100644 contrib/virtiofsd/seccomp.c create mode 100644 contrib/virtiofsd/seccomp.h create mode 100644 contrib/virtiofsd/security.rst -- 2.23.0
