From: Stefan Hajnoczi <stefa...@redhat.com>
If the process is compromised there should be no network access. Use an
empty network namespace to sandbox networking.
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
---
tools/virtiofsd/passthrough_ll.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index e6ecf95e31..0d061de438 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -1943,6 +1943,19 @@ static void print_capabilities(void)
printf("}\n");
}
+/*
+ * Called after our UNIX domain sockets have been created, now we can move to
+ * an empty network namespace to prevent TCP/IP and other network activity in
+ * case this process is compromised.
+ */
+static void setup_net_namespace(void)
+{
+ if (unshare(CLONE_NEWNET) != 0) {
+ fuse_log(FUSE_LOG_ERR, "unshare(CLONE_NEWNET): %m\n");
+ exit(1);
+ }
+}
+
/* This magic is based on lxc's lxc_pivot_root() */
static void setup_pivot_root(const char *source)
{
@@ -2034,6 +2047,7 @@ static void setup_mount_namespace(const char *source)
*/
static void setup_sandbox(struct lo_data *lo)
{
+ setup_net_namespace();
setup_mount_namespace(lo->source);
}
--
2.24.1
